Unauthenticated XAR Import via POST /wikis/{wikiName} <18.1.0-rc-1 in XWiki
CVE-2026-33137 Published on May 20, 2026
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.
CVE-2026-33137 has been classified to as an AuthZ vulnerability or weakness.
Products Associated with CVE-2026-33137
Want to know whenever a new CVE is published for Xwiki? stack.watch will email you.
Affected Versions
xwiki-platform:- Version >= 15.10.6, < 16.10.17 is affected.
- Version >= 17.0.0-rc-1, < 17.4.9 is affected.
- Version >= 17.5.0, < 17.10.3 is affected.
- Version >= 18.0.0-rc-1, < 18.1.0-rc-1 is affected.