CVE-2026-33229: CWE-862: Missing Authorization in xwiki xwiki-platform
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
AI Analysis
Technical Summary
The vulnerability CVE-2026-33229 in XWiki Platform versions before 17.4.8 and 17.10.1 is due to missing authorization controls in the scripting API. Specifically, users granted script rights can bypass the sandboxing of the Velocity scripting API, enabling execution of arbitrary Python scripts. This flaw allows such users to gain full access to the XWiki instance, compromising its confidentiality, integrity, and availability. The issue arises because the scripting API does not properly restrict script execution beyond the initial script right check. The vendor has addressed this vulnerability by releasing fixed versions 17.4.8 and 17.10.1.
Potential Impact
Successful exploitation allows any user with script rights to execute arbitrary Python code within the XWiki instance, leading to complete compromise of the system's confidentiality, integrity, and availability. This elevates the risk posed by users who already have script rights, potentially enabling them to perform unauthorized actions beyond intended permissions.
Mitigation Recommendations
This vulnerability is fixed in XWiki Platform versions 17.4.8 and 17.10.1. Users should upgrade to one of these versions or later to remediate the issue. Since the vulnerability requires script rights, it is also recommended to restrict granting script rights to trusted users only. Patch status is confirmed fixed in the specified versions; no other remediation level is indicated.
CVE-2026-33229: CWE-862: Missing Authorization in xwiki xwiki-platform
Description
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability of the whole instance. Note that script right already constitutes a high level of access that we don't recommend giving to untrusted users. This vulnerability is fixed in 17.4.8 and 17.10.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-33229 in XWiki Platform versions before 17.4.8 and 17.10.1 is due to missing authorization controls in the scripting API. Specifically, users granted script rights can bypass the sandboxing of the Velocity scripting API, enabling execution of arbitrary Python scripts. This flaw allows such users to gain full access to the XWiki instance, compromising its confidentiality, integrity, and availability. The issue arises because the scripting API does not properly restrict script execution beyond the initial script right check. The vendor has addressed this vulnerability by releasing fixed versions 17.4.8 and 17.10.1.
Potential Impact
Successful exploitation allows any user with script rights to execute arbitrary Python code within the XWiki instance, leading to complete compromise of the system's confidentiality, integrity, and availability. This elevates the risk posed by users who already have script rights, potentially enabling them to perform unauthorized actions beyond intended permissions.
Mitigation Recommendations
This vulnerability is fixed in XWiki Platform versions 17.4.8 and 17.10.1. Users should upgrade to one of these versions or later to remediate the issue. Since the vulnerability requires script rights, it is also recommended to restrict granting script rights to trusted users only. Patch status is confirmed fixed in the specified versions; no other remediation level is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-18T02:42:27.507Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d672521cc7ad14da85d649
Added to database: 4/8/2026, 3:20:50 PM
Last enriched: 4/16/2026, 12:00:19 PM
Last updated: 5/23/2026, 11:23:16 AM
Views: 109
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.