GHSA-qrvh-r3f2-9h4r
XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}
Details
### Impact
`POST /wikis/{wikiName}` executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki
### Patches
This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
### Workarounds
XWiki is not aware of any workarounds other than adding a rule into an HTTP proxy to prevent access POST request in the `/wikis/{wikiName}[/]` endpoint.
### Resources
* https://jira.xwiki.org/browse/XWIKI-23953 * https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f
### For more information
If there are any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Send an email to the [Security Mailing List](mailto:security@xwiki.org)
### Attribution
Reported by Sho Odagiri (GMO Cybersecurity by Ierae, Inc.).
Are you affected?
Enter the version of the package you're using.
Affected packages
15.10.6 Fixed in: 16.10.17 # pom.xml: bump <version>16.10.17</version> for org.xwiki.platform:xwiki-platform-rest-server 17.0.0-rc-1 Fixed in: 17.4.9 # pom.xml: bump <version>17.4.9</version> for org.xwiki.platform:xwiki-platform-rest-server 17.5.0 Fixed in: 17.10.3 # pom.xml: bump <version>17.10.3</version> for org.xwiki.platform:xwiki-platform-rest-server 18.0.0-rc-1 Fixed in: 18.1.0-rc-1 # pom.xml: bump <version>18.1.0-rc-1</version> for org.xwiki.platform:xwiki-platform-rest-server References
- https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-33137 [ADVISORY]
- https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f [WEB]
- https://github.com/xwiki/xwiki-platform [PACKAGE]
- https://jira.xwiki.org/browse/XWIKI-23953 [WEB]