Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/{wikiName} API executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki. This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.
AnalysisAI
Unauthenticated XAR import in XWiki Platform allows remote attackers to create or modify arbitrary documents in a target wiki via the POST /wikis/{wikiName} REST endpoint, which was missing authorization checks. Affects all releases prior to 16.10.17, 17.4.9, 17.10.3, 18.0.1, and 18.1.0-rc-1. CVSS 4.0 base score is 9.3 (critical) with no public exploit identified at time of analysis, but the patch commit clearly exposes the trivial nature of the bypass.
Technical ContextAI
XWiki Platform is a Java-based open-source enterprise wiki engine that exposes a REST API for content management, including a XAR (XWiki Archive) import facility used to bulk-load wiki pages, attachments, and configuration. The vulnerable code path is WikiResourceImpl.java in the xwiki-platform-rest-server module, which handles POST /wikis/{wikiName}. The root cause is CWE-862 (Missing Authorization): the handler invoked the XAR import logic without consulting the ContextualAuthorizationManager, so no Right.ADMIN check was enforced on the target wiki reference. The patch injects ContextualAuthorizationManager and calls checkAccess(Right.ADMIN, new WikiReference(wikiName)), returning HTTP 403 when the caller lacks wiki admin rights - a regression test confirms guests now receive FORBIDDEN while superadmin still succeeds.
RemediationAI
Vendor-released patches are available - upgrade to XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1, or 18.1.0-rc-1 depending on your branch, as documented in the GHSA-qrvh-r3f2-9h4r advisory (https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r) and fix commit 4b7b95b79256374d487e9ece1dc48f527966990f. If an immediate upgrade is not feasible, block or require authentication on POST requests to /wikis/{wikiName} (and any /rest/wikis/{wikiName} variants) at a reverse proxy or WAF; the trade-off is that legitimate administrative XAR imports via REST will also break and must be performed through an authenticated path or the web UI. As an additional defense, restrict the REST endpoint to internal management networks until patched. Generic compensating controls such as monitoring for unexpected document creation events in the wiki audit log are useful for detection but do not prevent exploitation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31157
GHSA-qrvh-r3f2-9h4r