Unauthenticated Document Manipulation in XWiki Platform
CVE-2026-33137

9.3CRITICAL

Key Information:

Vendor: Xwiki
Status: Xwiki-platform
Vendor: CVE Published:; 20 May 2026

🔔 Create Xwiki Vulnerability Alert

What is CVE-2026-33137?

The XWiki Platform contains a vulnerability that allows unauthenticated attackers to execute the POST /wikis/{wikiName} API, enabling them to import XAR files without any authentication or authorization checks. This flaw permits unauthorized users to create or update documents within a target wiki, posing a significant security risk. The issue is resolved in XWiki versions 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1.

Affected Version(s)

xwiki-platform < 16.10.17 < 16.10.17

xwiki-platform >= 17.0.0-rc-1, < 17.4.9 < 17.0.0-rc-1, 17.4.9

xwiki-platform >= 17.5.0, < 17.10.3 < 17.5.0, 17.10.3

References

https://github.com/xwiki/xwiki-platform/security/advisori...

x_refsource_CONFIRM

https://github.com/xwiki/xwiki-platform/commit/4b7b95b792...

x_refsource_MISC

https://jira.xwiki.org/browse/XWIKI-23953

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33137 Data

.