PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-33137 xwiki CVE debrief

CVE-2026-33137 is a critical XWiki Platform vulnerability that allows an unauthenticated attacker to invoke the POST /wikis/{wikiName} API and trigger a XAR import without authentication or authorization checks. In practical terms, that means an attacker can create or update documents in the target wiki remotely, with direct impact to content integrity and potentially broader site trust. The issue was publicly disclosed on 2026-05-20 and is fixed in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1.

Vendor
xwiki
Product
xwiki-platform
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-21
Advisory published
2026-05-20
Advisory updated
2026-05-21

Who should care

XWiki administrators, platform operators, security teams, and anyone exposing XWiki to untrusted networks should treat this as urgent. Organizations that allow direct access to XWiki’s web/API endpoints, especially public-facing deployments, should prioritize verification and patching immediately.

Technical summary

The advisory states that POST /wikis/{wikiName} executes a XAR import without any authentication or authorization enforcement. Because the vulnerable endpoint can be reached by an unauthenticated attacker, the flaw permits remote creation or modification of wiki documents. The supplied advisory and NVD data classify the issue as high-impact, with CVSS 9.3 and CWE-862 (missing authorization).

Defensive priority

Critical. This is a remote, unauthenticated integrity compromise in a core content-management workflow. Patch as soon as possible, and treat any exposed XWiki instance on affected versions as high risk until confirmed remediated.

Recommended defensive actions

  • Upgrade XWiki to a fixed release for your branch: 16.10.17, 17.4.9, 17.10.3, 18.0.1, or 18.1.0-rc-1, as applicable.
  • If immediate patching is not possible, restrict network access to XWiki and its API endpoints to trusted administrative sources only.
  • Review recent document and wiki content changes for unauthorized imports or unexpected edits on exposed instances.
  • Check logs and change history around POST /wikis/{wikiName} activity for signs of abuse or unsolicited document creation.
  • Validate all internet-facing or partner-facing XWiki deployments against the affected version ranges and remediate first where exposure is highest.

Evidence notes

The source corpus consistently ties the issue to XWiki Platform and cites an official GitHub security advisory, a fixing commit, and a Jira issue. The advisory description in the supplied data explicitly says the POST /wikis/{wikiName} API performs a XAR import without authentication or authorization checks, and that the flaw is fixed in the listed releases. The vendor field in the source item is generic/low-confidence, so the XWiki attribution should be considered authoritative from the advisory references rather than the metadata label.

Official resources

Publicly disclosed on 2026-05-20. The supplied advisory data indicates remediation was released in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1.