Skip to main content

CVE-2026-40104

| EUVDEUVD-2026-22817 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-04-14 https://github.com/xwiki/xwiki-platform GHSA-mrqg-xmgm-rc5g
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 15, 2026 - 01:13 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:46 euvd
EUVD-2026-22817
Analysis Generated
Apr 14, 2026 - 22:46 vuln.today
Patch released
Apr 14, 2026 - 22:46 nvd
Patch available
CVE Published
Apr 14, 2026 - 22:34 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

Impact

REST API endpoints like /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties list all available pages as part of the metadata for database list properties, which can exhaust available resources on large wikis.

Patches

This problem has been patched by applying the configured query limit also to the available values for database list properties in XWiki 16.10.16, 17.4.8 and 17.10.1.

Workarounds

We're not aware of any workarounds apart from upgrading the affected modules.

AnalysisAI

Denial of service via resource exhaustion in XWiki REST API endpoints that list database properties without respecting configured query limits, allowing remote attackers to enumerate all pages on large wiki installations and exhaust server resources. Affects XWiki Platform versions before 16.10.16, 17.4.8, and 17.10.1. Vendor-released patches are available; no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

XWiki Platform's REST API endpoints for object properties (specifically database list type properties) return metadata containing complete page listings without enforcing the configured query limit parameter. The vulnerability stems from CWE-770 (Allocation of Resources Without Limits or Throttling), where the /xwiki/rest/wikis/{wiki}/spaces/{space}/pages/{page}/objects/{object}/properties endpoints enumerate database values without pagination or result set constraints. The affected Maven packages (xwiki-platform-oldcore and xwiki-platform-legacy-oldcore) contain the query handling logic that failed to apply configured limits to these property value lookups. On installations with large numbers of pages, this causes unbounded resource consumption when the REST API generates metadata for database list properties.

RemediationAI

Upgrade XWiki Platform to patched versions: 16.10.16 or later for the 16.x line, 17.4.8 or later for the 17.4.x line, or 17.10.1 or later for the 17.10.x line. The fix applies the configured query limit to database list property enumeration in REST API responses. No workarounds are available other than upgrading affected modules. Reference the patch commit at https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7 and JIRA issue XWIKI-23550 for technical implementation details.

Share

CVE-2026-40104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy