Cyber Resilience

CVE-2026-40104

Medium

Published: 15 April 2026

Published
15 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 32.2th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-40104 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Xwiki Xwiki. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-40104 is a resource exhaustion vulnerability in the XWiki Platform, a generic wiki platform providing runtime services for applications. It affects versions 1.8-rc-1, 17.0.0-rc-1, 17.5.0-rc-1 and prior, stemming from REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties. These endpoints list all available pages as metadata for database list properties without applying query limits, leading to excessive resource consumption on large wikis. The issue is rated 8.2 on CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H) and maps to CWE-770 (Allocation of Resources Without Limits or Throttling).

An unauthenticated remote attacker can exploit this vulnerability by sending crafted requests to the affected REST API endpoints. On wikis with a large number of pages, these requests trigger the enumeration of all pages without limits, exhausting server resources such as memory or CPU, resulting in denial-of-service conditions that disrupt service availability.

The vulnerability has been addressed in XWiki Platform versions 16.10.16, 17.4.8, and 17.10.1. Relevant advisories include the GitHub security advisory at GHSA-mrqg-xmgm-rc5g, the patch commit at https://github.com/xwiki/xwiki-platform/commit/47b568c4753a6e682b14be1ca581bdd3b25d45a7, and the Jira issue at https://jira.xwiki.org/browse/XWIKI-23550, which detail the fix implementation.

EU & UK References

Vulnerability details

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties, which list all available…

more

pages as part of the metadata for database list properties without applying query limits. On large wikis, this can exhaust available server resources. This issue has been patched in versions 16.10.16, 17.4.8 and 17.10.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

The vulnerability allows unauthenticated crafted requests to REST API endpoints that trigger unbounded page enumeration and resource consumption (memory/CPU), directly enabling Application Exhaustion Flood (T1499.003) for DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-51991Same product: Xwiki Xwiki
CVE-2025-55747Same product: Xwiki Xwiki
CVE-2025-24893Same product: Xwiki Xwiki
CVE-2026-33229Same product: Xwiki Xwiki
CVE-2025-29924Same product: Xwiki Xwiki
CVE-2025-29926Same product: Xwiki Xwiki
CVE-2025-53836Same product: Xwiki Xwiki
CVE-2025-32429Same product: Xwiki Xwiki
CVE-2025-54385Same product: Xwiki Xwiki
CVE-2025-23025Same product: Xwiki Xwiki

Affected Assets

xwiki
xwiki
1.8 — 16.10.16 · 17.0.0 — 17.4.8 · 17.5.0 — 17.10.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces maximum resource allocation limits to directly prevent exhaustion from unlimited page enumeration in vulnerable REST API endpoints.

preventdetect

Protects against and limits effects of denial-of-service events like resource exhaustion triggered by unauthenticated crafted requests.

prevent

Restricts information inputs at API interfaces to mitigate excessive queries lacking limits on large wikis.

References