XWiki Path Traversal Vulnerability

CVE-2026-23734 is a Critical path traversal vulnerability affecting XWiki’s xwiki-commons-classloader-api component. The vulnerability affects the ssx and jsx endpoints, where a crafted resource parameter beginning with a leading slash can bypass path traversal protections and allow an unauthenticated attacker to read sensitive configuration files from the XWiki server. XWiki rates the issue as Critical, with a CVSS 4.0 score of 9.3.

Technical Details

XWiki is an open-source enterprise wiki platform built on Java and commonly used for internal documentation, knowledge bases, and collaboration sites.

The vulnerability is an incomplete fix for CVE-2025-55748. In affected deployments, the resource parameter in ssx and jsx endpoint requests can accept a leading slash followed by traversal sequences. This allows requests such as /bin/jsx/Main/WebHome?resource=/../../WEB-INF/xwiki.cfg or /bin/ssx/Main/WebHome?resource=/../../WEB-INF/hibernate.cfg.xml to retrieve files outside the intended resource directory.

Successful exploitation can expose sensitive configuration files, including WEB-INF/xwiki.cfg, which may contain credentials, database connection strings, and secrets. The issue is remotely exploitable without authentication and may be reproducible on Tomcat deployments.

Stop Guessing, Start Proving

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this path traversal vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

• Run the Rapid Response test: Launch from the NodeZero platform to determine whether affected XWiki instances can expose sensitive configuration files
• Patch immediately: Upgrade XWiki to a fixed version based on your active branch
• Re-run the test: Confirm the vulnerability is no longer exploitable after remediation

Affected versions & patch

Affected:

• XWiki deployments using vulnerable versions of xwiki-commons-classloader-api prior to the patched releases
• XWiki instances exposing the ssx or jsx endpoints
• XWiki instances running on Tomcat may be reproducible based on the advisory details

Patch:

• Upgrade to XWiki 18.0.0-rc-1 or later
• Upgrade to XWiki 17.10.3 or later
• Upgrade to XWiki 17.4.9 or later
• Upgrade to XWiki 16.10.17 or later
• There is no known workaround other than upgrading XWiki

Customers who cannot patch immediately should restrict network access to XWiki and rotate any secrets stored in files reachable from the web application directory

Timeline

• January 15, 2026 – XWiki opened XCOMMONS-3547 for an incomplete CVE-2025-55748 fix.
• January 16, 2026 – XWiki resolved the issue in the fixed release branches.
• May 20, 2026 – GitHub published advisory GHSA-xq3r-2qv5-vqqm for CVE-2026-23734.

References

• XWiki Advisory: GHSA-xq3r-2qv5-vqqm
• XWiki Bug Tracker: XCOMMONS-3547
• NVD: CVE-2026-23734