CVE-2026-33137: XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

May 26, 2026

POST /wikis/{wikiName} executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki

References

github.com/advisories/GHSA-qrvh-r3f2-9h4r
github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f
github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r
jira.xwiki.org/browse/XWIKI-23953
nvd.nist.gov/vuln/detail/CVE-2026-33137

Code Behaviors & Features

Detect and mitigate CVE-2026-33137 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →