CVE-2026-40104
Published: 15 April 2026
Summary
CVE-2026-40104 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Xwiki Xwiki. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 22.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces maximum resource allocation limits to directly prevent exhaustion from unlimited page enumeration in vulnerable REST API endpoints.
Protects against and limits effects of denial-of-service events like resource exhaustion triggered by unauthenticated crafted requests.
Restricts information inputs at API interfaces to mitigate excessive queries lacking limits on large wikis.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated crafted requests to REST API endpoints that trigger unbounded page enumeration and resource consumption (memory/CPU), directly enabling Application Exhaustion Flood (T1499.003) for DoS.
NVD Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available…
more
pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1.
Deeper analysisAI
CVE-2026-40104 is a resource exhaustion vulnerability in the XWiki Platform, a generic wiki platform providing runtime services for applications. It affects versions 1.8-rc-1, 17.0.0-rc-1, 17.5.0-rc-1 and prior, stemming from REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties. These endpoints list all available pages as metadata for database list properties without applying query limits, leading to excessive resource consumption on large wikis. The issue is rated 8.2 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).
An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the affected REST API endpoints. On wikis with a large number of pages, these requests trigger the enumeration of all pages without limits, exhausting server resources such as memory or CPU, resulting in denial-of-service conditions that disrupt service availability.
The vulnerability has been addressed in XWiki Platform versions 16.10.16, 17.4.8, and 17.10.1. Relevant advisories include the GitHub security advisory at GHSA-mrqg-xmgm-rc5g, the patch commit at https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7, and the Jira issue at https://jira.xwiki.org/browse/XWIKI-23550, which detail the fix implementation.
Details
- CWE(s)