Platform
java
Component
org.xwiki.platform:xwiki-platform-oldcore
Fixed in
1.8.1
17.0.1
17.5.1
1.8.1
17.0.1
17.5.1
16.10.16
CVE-2026-40104 describes a resource exhaustion vulnerability affecting XWiki Platform. An attacker can trigger this vulnerability by repeatedly querying specific REST API endpoints, potentially leading to denial of service. This issue impacts versions 1.8.0 through 17.10.0, excluding 17.5.0-rc-1. Patches are available in versions 16.10.16, 17.4.8, and 17.10.1.
The vulnerability lies in how XWiki Platform handles requests for database list properties through its REST API. Specifically, endpoints like /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties list all available pages as part of the metadata. On large wikis with numerous pages, an attacker can exploit this by sending a large number of requests to these endpoints. This excessive querying can overwhelm the server's resources, including memory and CPU, leading to a denial-of-service (DoS) condition. The impact is particularly severe for wikis with extensive content and a high volume of users, as the resource exhaustion can disrupt normal operations and potentially render the platform unavailable.
This vulnerability was publicly disclosed on 2026-04-15. There is no indication of active exploitation campaigns or KEV listing at the time of writing. Public proof-of-concept (PoC) code is not currently available, but the vulnerability's nature makes it relatively straightforward to exploit, increasing the potential for future attacks.
Exploit Status
EPSS
0.05% (15% percentile)
The primary mitigation for CVE-2026-40104 is to upgrade XWiki Platform to a patched version. Patches are available in versions 16.10.16, 17.4.8, and 17.10.1. Unfortunately, there are no known workarounds besides upgrading. Before upgrading, it's crucial to review the XWiki release notes for any potential breaking changes and plan a rollback strategy if necessary. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint with a large number of requests and verifying that resource usage remains within acceptable limits.
Update XWiki Platform to version 16.10.16 or later, 17.4.8 or later, or 17.10.1 or later to mitigate the resource exhaustion vulnerability in the REST APIs. The update corrects the lack of query limits in API calls that can exhaust server resources on large wikis. See the official XWiki documentation for detailed upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40104 is a vulnerability in XWiki Platform where attackers can exhaust server resources by repeatedly querying specific REST API endpoints, potentially causing a denial-of-service.
You are affected if you are running XWiki Platform versions 1.8.0–>= 17.5.0-rc-1, < 17.10.1. Upgrade to a patched version to mitigate the risk.
Upgrade XWiki Platform to version 16.10.16, 17.4.8, or 17.10.1. There are no known workarounds besides upgrading.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it potentially exploitable.
Refer to the official XWiki security advisory for detailed information and updates regarding CVE-2026-40104.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.