Resource Exhaustion Vulnerability in XWiki Platform
CVE-2026-40104
Key Information:
- Vendor
Xwiki
- Vendor
- CVE Published:
- 15 April 2026
What is CVE-2026-40104?
The XWiki Platform, a versatile wiki application framework, has introduced a vulnerability in its REST API endpoints that may lead to resource exhaustion. Specifically, the flaw exists in endpoints that retrieve metadata for database list properties without imposing query limits, potentially allowing large wikis to consume excessive server resources. This issue is particularly critical for administrators managing large-scale applications. Affected versions 1.8-rc-1, 17.0.0-rc-1, and 17.5.0-rc-1 have been addressed in patches released as versions 16.10.16, 17.4.8, and 17.10.1. Promptly updating to these versions is essential to mitigate risks associated with this vulnerability.
Affected Version(s)
org.xwiki.platform:xwiki-platform-legacy-oldcore >= 1.8-rc-1, < 16.10.16 < 1.8-rc-1, 16.10.16
org.xwiki.platform:xwiki-platform-legacy-oldcore >= 17.0.0-rc-1, < 17.4.8 < 17.0.0-rc-1, 17.4.8
org.xwiki.platform:xwiki-platform-legacy-oldcore >= 17.5.0-rc-1, < 17.10.1 < 17.5.0-rc-1, 17.10.1