External risk intelligence

XWiki Platform allows attackers to change any document without logging in

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-33137

XWiki Platform's API allows anyone to change any document without logging in, impacting widely used collaboration tools and potentially leading to unauthorized data changes.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-33137

The vulnerability affects the XWiki Platform, a web-based content management system. As a web application frequently deployed to serve public-facing or collaborative knowledge bases, it is standard for such platforms to be exposed via HTTP/HTTPS. The affected API endpoint is a web-accessible resource, making it reachable in standard web deployment configurations.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This critical issue in XWiki Platform allows unauthenticated attackers to import or modify wiki documents through a specific API. This can lead to unauthorized content changes or the introduction of malicious data. Teams should pay attention because it affects a widely used platform for collaboration and knowledge management.

  • Unauthenticated remote attackers can impact wikis.
  • Attackers can create or update documents.
  • This could lead to data integrity issues.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this flaw by sending a crafted POST request to the `/wikis/{wikiName}` API. This would allow them to upload and execute arbitrary XAR files, effectively enabling them to create or modify documents within the target XWiki instance without needing any prior access or credentials.

  • Target: XWiki Platform API
  • Access: Unauthenticated
  • Action: POST to /wikis/{wikiName}

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to manipulate documents within XWiki Platform instances. Given its open nature, attackers would likely target widely deployed instances accessible over the internet. The direct impact of creating or modifying content without authentication makes it an attractive target for disruptive attacks or as an initial entry point for further compromise.

  • Affects common web platform.
  • Allows unauthenticated API access.
  • No exploit code publicly known.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching affected XWiki Platform instances to the latest fixed version as soon as possible, given the critical severity and unauthenticated remote code execution risk. If immediate patching is not feasible, focus on network segmentation and robust intrusion detection to mitigate the exposure of the vulnerable API endpoint.

  • Apply XWiki patches 16.10.17 or later.
  • Block network access to the API endpoint.
  • Monitor for unauthorized document modifications.

Frequently asked questions

What is XWiki Platform and its purpose?

XWiki Platform is a flexible wiki software designed for collaborative knowledge management and building web-based applications. It offers runtime services that allow developers to create custom applications on top of the wiki functionality.

What is CVE-2026-33137, and what is the vulnerability class?

CVE-2026-33137 is a critical vulnerability in XWiki Platform. The weakness class is CWE-862, indicating a Missing Authentication for Critical Function, allowing unauthorized actions.

How can an unauthenticated attacker exploit this vulnerability?

An attacker can exploit this by sending a POST request to the `/wikis/{wikiName}` API. This endpoint improperly handles XAR imports, allowing the attacker to create or update documents without authentication.

What is the relevance of CVE-2026-33137 to XWiki Platform deployments?

This vulnerability is relevant because it affects a widely used platform for collaboration and knowledge management that is often exposed online. The ability for unauthenticated users to modify content poses a significant risk to data integrity and system security.

What practical steps should be taken to address this vulnerability?

Organizations should immediately patch their XWiki Platform to versions 16.10.17, 17.4.9, 17.10.3, 18.0.1, or later. If immediate patching isn't possible, network segmentation and monitoring for unauthorized document changes are recommended mitigation strategies.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified