CVE-2026-33137
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
Description
### Impact `POST /wikis/{wikiName}` executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki ### Patches This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1. ### Workarounds XWiki is not aware of any workarounds other than adding a rule into an HTTP proxy to prevent access POST request in the `/wikis/{wikiName}[/]` endpoint. ### Resources * https://jira.xwiki.org/browse/XWIKI-23953 * https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f ### For more information If there are any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Send an email to the [Security Mailing List](mailto:security@xwiki.org) ### Attribution Reported by Sho Odagiri (GMO Cybersecurity by Ierae, Inc.).
How to fix CVE-2026-33137
To remediate CVE-2026-33137, upgrade the affected package to a fixed version below.
- —upgrade to 16.10.17 or later
Is CVE-2026-33137 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 15.10.6, < 16.10.17
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |