# [CRIT] [GHSA / CRITICAL] CVE-2026-33137: XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

**Source:** GitHub Security Advisories
**Published:** 2026-05-26
**Article:** https://github.com/advisories/GHSA-qrvh-r3f2-9h4r

## Threat Profile

XWiki Platform has an Unauthenticated XAR Import via REST /wikis/{wikiName}

### Impact

`POST /wikis/{wikiName}` executes a XAR import without performing any authentication or authorization checks, allowing an unauthenticated attacker to create or update documents in the target wiki

### Patches

This vulnerability has been patched in XWiki 16.10.17, 17.4.9, 17.10.3, 18.0.1 and 18.1.0-rc-1.

### Workarounds

XWiki is not aware of any workarounds other than adding a rule into an HTTP proxy to pr…

## Indicators of Compromise (high-fidelity only)

- **CVE:** `CVE-2026-33137`

## MITRE ATT&CK Techniques

- **T1190** — Exploit Public-Facing Application

## Kill chain phases observed

_(none detected from narrative keywords)_

## Recommended hunts

### XWiki unauthenticated XAR import via REST POST /rest/wikis/{wikiName} (CVE-2026-33137)

`UC_206_1` · phase: **exploit** · confidence: **High** · AI-generated for this article

**Splunk SPL (CIM):**
```spl
| tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web.Web where Web.http_method=POST Web.url="*/rest/wikis/*" Web.status IN (200,202) by Web.src Web.dest Web.url Web.http_method Web.status Web.http_user_agent
| `drop_dm_object_name(Web)`
| regex url="(?i)/rest/wikis/[^/?#]+/?($|\?)"
| convert ctime(firstTime) ctime(lastTime)
| sort - lastTime
```

### IOC-driven hunts (use shared templates)

These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing.

- **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High**
  - CVE(s): `CVE-2026-33137`


## Why this matters

Severity classified as **CRIT** based on: CVE present, 2 use case(s) fired, 1 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.