CVE-2026-33137 · XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it.

01 · The Real Story

This is a warehouse side door that bypasses the badge reader and lets strangers unload their own inventory into your shelves

CVE-2026-33137 is a missing-authorization flaw in XWiki's REST handler for POST /wikis/{wikiName}. On affected branches, that endpoint imports a XAR archive without checking authentication or authorization first, so an unauthenticated remote attacker can create or overwrite documents inside the target wiki. XWiki's issue tracker ties the bug to the REST component and lists affected versions beginning at 15.10.16, 16.4.6, and 16.10.2, with fixes in 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1.

In practice this is worse than 'just content tampering'. XWiki's own bug notes say a guest can import XWiki.XWikiPreferences and grant guest the programming right, which collapses the gap between document write access and full application-level takeover. The only real brakes are product population and exposure: XWiki is less common than Exchange or Confluence, and many deployments live on internal networks, but if you expose XWiki to the internet this is a pre-auth remote compromise path, not a nuisance bug.

"Pre-auth XAR import turns exposed XWiki into a write-anything endpoint with a realistic path to full wiki takeover."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find an exposed XWiki REST surface

An attacker fingerprints XWiki over HTTP and checks whether the /wikis/{wikiName} REST route is reachable. Commodity tooling like curl, httpx, or Nuclei-style HTTP checks is enough because no login flow or multi-step state is required.

Conditions required:

The XWiki web application is reachable from the attacker's network position
The REST component is enabled and routed through the front-end proxy
The attacker can guess a valid wiki name such as xwiki

Where this breaks in practice:

Many enterprise XWiki deployments are internal-only, which sharply reduces reachable population
Some reverse proxies only publish selected paths and may not expose the REST route externally
Attackers still need a live XWiki target; this is not a broad internet commodity like VPN appliances

Detection/coverage: External attack-surface tools can usually identify XWiki by title, favicon, headers, or page structure, but most vuln scanners will only prove exposure, not safe exploitability, without sending a write attempt.

STEP 02

POST a malicious XAR import as guest

The attacker sends a crafted POST with a XAR payload to /wikis/{wikiName} using a plain HTTP client such as curl or Burp Suite. Before the fix, the import path executes without the admin-right check that the patch later restores.

Conditions required:

The target version is in an affected branch
The endpoint accepts POST requests through the proxy or load balancer
Request body size limits permit the XAR upload

Where this breaks in practice:

A WAF or reverse proxy rule that blocks POST to /wikis/* can kill the exploit path immediately
Some environments enforce body-size caps that may break larger weaponized XAR archives
Tight network ACLs or VPN-only access remove the pre-auth remote angle

Detection/coverage: Look for POST requests to /wikis/ from unauthenticated sessions, especially with archive-like bodies and 200 or 403 responses. Scanner coverage should be decent for exposure checks but inconsistent for safe active validation because exploitation is state-changing.

STEP 03

Overwrite high-value pages and preferences

Once the import is processed, the attacker can create or update arbitrary wiki documents in the target wiki. XWiki's own issue notes that importing XWiki.XWikiPreferences can give the guest user programming right, turning a document-import bug into an application-privilege escalation path.

Conditions required:

The import logic processes the supplied documents and objects
The attacker knows or discovers the target wiki's standard document names
The instance honors imported preference objects

Where this breaks in practice:

Admins may notice sudden changes to prominent documents, templates, or preference pages
Some operational teams monitor critical spaces and global preference pages for drift
This is application takeover first; host-level code execution may still require follow-on abuse of XWiki scripting features

Detection/coverage: Monitor for unexpected edits to XWiki.XWikiPreferences, security-related pages, templates, or newly created documents authored by guest/anonymous context.

STEP 04

Convert wiki write access into durable control

With guest programming rights or overwritten privileged pages, the attacker can persist, alter content, steal data available to the app, or execute server-side scripting within XWiki's application context. Tooling remains basic at this point: browser interaction or scripted REST/page requests are enough after rights are changed.

Conditions required:

Imported preference changes or privileged pages take effect
Scripting or privileged macros remain enabled in the deployment
The attacker can reach the affected wiki after import

Where this breaks in practice:

Application logging and page history create forensic artifacts
EDR may catch later host-level abuse if the attacker escalates beyond the Java app
If scripting is heavily constrained, blast radius may stay inside content and workflow integrity

Detection/coverage: Audit page history, preference changes, anonymous-to-privileged transitions, and anomalous guest-originated modifications. If this moves into script execution, EDR and JVM process telemetry become relevant only at the follow-on stage.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found as of `2026-05-29`; not in CISA KEV, and I found no primary-source campaign reporting for this CVE.
Proof-of-concept availability	No public PoC located in primary sources during this review. Exploitation does not need exotic tooling; `curl`/Burp-grade HTTP clients are sufficient once the route is reachable.
EPSS	`0.00016` from the prompt, which is very low and consistent with a newly disclosed, niche-product issue lacking exploitation chatter.
KEV status	Not KEV-listed as of `2026-05-29` per CISA's catalog.
CVSS vector context	NVD currently displays a GitHub CNA CVSS v4.0 vector of `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` scored `9.3` and marked Critical. Important date note: that metadata appears in NVD change history on `2026-05-20`/`2026-05-21`, even though this request asked for a first-principles assessment.
Affected versions	Primary sources tie the bug to XWiki REST and list affected branch points at `15.10.16`, `16.4.6`, and `16.10.2`; treat supported branches before the fixed versions as affected.
Fixed versions	`16.10.17`, `17.4.9`, `17.10.3`, `18.0.1`, and `18.1.0-rc-1`. I found no distro backport advisories in primary sources during this review, so assume upstream versioning until your package source proves otherwise.
Exposure data	I found no CVE-specific GreyNoise or Censys telemetry for this flaw. As a general XWiki exposure signal, Censys reported about 2.9k XWiki instances exposed online while covering a different XWiki flaw; that's not this CVE's vulnerable population, but it shows the product does exist on the public internet.
Disclosure and reporter	Public advisory date is `2026-05-20`. GitHub credits Sho Odagiri (GMO Cybersecurity by Ierae, Inc.); XWiki JIRA tracks the underlying bug as `XWIKI-23953`.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to CRITICAL (9.1/10)

The decisive amplifier is that this is unauthenticated network-reachable write access to the wiki import pipeline, and XWiki's own bug notes describe a path to granting guest programming rights by importing XWiki.XWikiPreferences. That removes the usual post-auth friction and makes an exposed instance behave much closer to an app-takeover bug than a simple content-defacement issue.

HIGH Technical exploitability of the unauthenticated import path

MEDIUM Assessment that blast radius often reaches full XWiki application compromise

MEDIUM Population-level priority across enterprises given XWiki's narrower deployment footprint

Why this verdict

Pre-auth remote path: no credentials, no user interaction, and no special attacker position beyond HTTP reachability.
Privilege-escalation built into the bug's own notes: XWiki says a guest can import XWiki.XWikiPreferences and grant guest programming right, which is far more dangerous than ordinary document edits.
Low operational friction for attackers: weaponization is just an HTTP POST with a XAR payload; no race, no heap grooming, no auth bypass chain.
Exposure is the only meaningful downtick: many XWiki deployments are internal or niche, so enterprise-wide prevalence is lower than appliance/VPN bugs, but that does not save the instances you actually expose.
Threat intel is quiet, not comforting: low EPSS and no KEV keep this from being a panic-in-the-wild event, but they do not materially reduce impact on a reachable target.

Why not higher?

This is not an every-enterprise, every-perimeter product, and I found no primary-source evidence of exploitation or a polished public exploit kit. Also, the strongest downstream impact is application-context takeover through XWiki rights and scripting, not a one-packet, directly demonstrated OS-level RCE in the advisory.

Why not lower?

Downgrading this to HIGH would underweight the absence of authentication and the fact that the vulnerable action is a write primitive into a privileged import workflow. Once an attacker can import arbitrary documents and potentially change XWiki.XWikiPreferences, the practical blast radius on an exposed instance is too large for a mid-tier bucket.

05 · Compensating Control

What to do — in priority order.

Block POST to /wikis/* at the edge — Put a reverse-proxy or WAF rule in front of XWiki to deny unauthenticated POST requests to /wikis/{wikiName} and similar REST import paths. This is the vendor's stated workaround pattern and should be deployed within 3 days because the noisgate CRITICAL bucket demands fast risk reduction.
Restrict XWiki to trusted networks — If the instance does not need public access, move it behind VPN, SSO gateway, or internal-only ACLs so the attacker can no longer hit the vulnerable route from the internet. Use this as a compensating control within 3 days where patch rollout is slower.
Alert on anonymous writes to wiki preferences and core spaces — Create detections for edits to XWiki.XWikiPreferences, global templates, and newly created pages authored by guest/anonymous context. This will not prevent exploitation, but it shortens dwell time and should be in place within 3 days for exposed deployments.
Diff page history for privilege-bearing documents — Continuously audit high-value XWiki pages and objects for unauthorized changes, especially rights, preferences, and script-bearing documents. For internet-facing instances, stand this up within 3 days to catch silent abuse while remediation is scheduled.

What doesn't work

MFA on user logins does nothing here because the vulnerable path is pre-auth and never asks for a user session.
EDR alone does not stop the initial import; it may only see later host-level abuse after the wiki has already been compromised.
Hiding or customizing the login page does not matter because the exploit targets a REST endpoint, not the interactive authentication flow.

06 · Verification

Crowdsourced verification payload.

Run this on the target XWiki host or inside the container/VM that serves the app, not from an auditor workstation. Invoke it as sudo bash ./check-cve-2026-33137.sh /path/to/xwiki/webapp or just sudo bash ./check-cve-2026-33137.sh; it needs read access to the deployed XWiki webapp/WAR directories so it can inspect xwiki-platform-rest-server JAR versions.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2026-33137.sh
# Detects likely exposure to CVE-2026-33137 by locating the deployed
# xwiki-platform-rest-server artifact and comparing its version to known fixed branches.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -euo pipefail

TARGET_PATH="${1:-}"
FOUND_JAR=""
FOUND_VERSION=""

find_candidate_jar() {
  local base="$1"
  find "$base" -type f \( -name 'xwiki-platform-rest-server-*.jar' -o -path '*/WEB-INF/lib/xwiki-platform-rest-server-*.jar' \) 2>/dev/null | head -n 1
}

extract_version_from_name() {
  local jar="$1"
  local name
  name="$(basename "$jar")"
  name="${name#xwiki-platform-rest-server-}"
  name="${name%.jar}"
  printf '%s' "$name"
}

normalize_rc() {
  local v="$1"
  # Turn rc markers into a sortable suffix lower than final release.
  v="${v//-rc-/.~rc.}"
  v="${v//RC/.~rc.}"
  printf '%s' "$v"
}

ver_lt() {
  dpkg --compare-versions "$(normalize_rc "$1")" lt "$(normalize_rc "$2")"
}
ver_le() {
  dpkg --compare-versions "$(normalize_rc "$1")" le "$(normalize_rc "$2")"
}
ver_ge() {
  dpkg --compare-versions "$(normalize_rc "$1")" ge "$(normalize_rc "$2")"
}

classify_version() {
  local v="$1"

  # Known fixed versions from advisory: 16.10.17, 17.4.9, 17.10.3, 18.0.1, 18.1.0-rc-1
  # Because the lower affected bounds across old branches are not perfectly explicit in public metadata,
  # this script is conservative: unsupported/ambiguous old lines return UNKNOWN.

  # Patched branches
  if ver_ge "$v" "18.1.0-rc-1"; then
    echo "PATCHED"
    return
  fi
  if ver_ge "$v" "18.0.1" && ver_lt "$v" "18.1.0-rc-1"; then
    echo "PATCHED"
    return
  fi
  if ver_ge "$v" "17.10.3" && ver_lt "$v" "18.0.0"; then
    echo "PATCHED"
    return
  fi
  if ver_ge "$v" "17.4.9" && ver_lt "$v" "17.5.0"; then
    echo "PATCHED"
    return
  fi
  if ver_ge "$v" "16.10.17" && ver_lt "$v" "17.0.0"; then
    echo "PATCHED"
    return
  fi

  # Known vulnerable supported branches
  if ver_ge "$v" "18.0.0" && ver_lt "$v" "18.0.1"; then
    echo "VULNERABLE"
    return
  fi
  if ver_ge "$v" "17.5.0" && ver_lt "$v" "17.10.3"; then
    echo "VULNERABLE"
    return
  fi
  if ver_ge "$v" "17.0.0" && ver_lt "$v" "17.4.9"; then
    echo "VULNERABLE"
    return
  fi
  if ver_ge "$v" "16.10.2" && ver_lt "$v" "16.10.17"; then
    echo "VULNERABLE"
    return
  fi

  # Ambiguous / unsupported / older branches where public metadata is not precise enough
  echo "UNKNOWN"
}

if [[ -n "$TARGET_PATH" ]]; then
  if [[ ! -e "$TARGET_PATH" ]]; then
    echo "UNKNOWN - supplied path does not exist: $TARGET_PATH"
    exit 2
  fi
  FOUND_JAR="$(find_candidate_jar "$TARGET_PATH" || true)"
else
  for p in \
    /usr/lib/xwiki \
    /var/lib/xwiki \
    /opt/xwiki \
    /var/lib/tomcat* \
    /usr/share/tomcat* \
    /var/lib/jetty* \
    /srv \
    /opt ; do
    [[ -e "$p" ]] || continue
    FOUND_JAR="$(find_candidate_jar "$p" || true)"
    [[ -n "$FOUND_JAR" ]] && break
  done
fi

if [[ -z "$FOUND_JAR" ]]; then
  echo "UNKNOWN - could not locate xwiki-platform-rest-server JAR"
  exit 2
fi

FOUND_VERSION="$(extract_version_from_name "$FOUND_JAR")"
STATUS="$(classify_version "$FOUND_VERSION")"

echo "$STATUS - detected xwiki-platform-rest-server version: $FOUND_VERSION ($FOUND_JAR)"
case "$STATUS" in
  PATCHED) exit 0 ;;
  VULNERABLE) exit 1 ;;
  *) exit 2 ;;
esac

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: pull an inventory of every XWiki instance, separate internet-exposed from internal-only, and put an edge block in front of POST /wikis/* anywhere you cannot patch immediately. For this CRITICAL verdict, the noisgate mitigation SLA is within 3 days for compensating controls such as proxy/WAF blocks or access restriction, and the noisgate remediation SLA is within 90 days for moving to 16.10.17, 17.4.9, 17.10.3, 18.0.1, or later; for externally exposed systems, do the exposed set first and treat any unexpected edits to XWiki.XWikiPreferences as a live incident trigger.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.