CVE-2026-2074 – This XXE vulnerability in O2OA allows attackers... (How to Fix)

Q: What is the severity of CVE-2026-2074?

CVE-2026-2074 has a CVSS score of 6.3 (MEDIUM). This XXE vulnerability in O2OA allows attackers to read arbitrary files from the server by sending specially crafted XML payloads to the vulnerable endpoint. It affects O2OA installations up to version 9.0.0 that have the vulnerable component enabled. Remote attackers can exploit this without authentication to potentially access sensitive system files.

📋 TL;DR

This XXE vulnerability in O2OA allows attackers to read arbitrary files from the server by sending specially crafted XML payloads to the vulnerable endpoint. It affects O2OA installations up to version 9.0.0 that have the vulnerable component enabled. Remote attackers can exploit this without authentication to potentially access sensitive system files.

💻 Affected Systems

Products:

O2OA

Versions: Up to and including 9.0.0

Operating Systems: All platforms running O2OA

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the /x_program_center/jaxrs/mpweixin/check endpoint via HTTP POST requests

📦 What is this software?

O2oa by Zoneland

View all CVEs affecting O2oa →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through file disclosure leading to credential theft, lateral movement, and data exfiltration

🟠

Likely Case

Sensitive file disclosure including configuration files, credentials, and application data

🟢

If Mitigated

Limited impact with proper XML parsing configuration and input validation

🌐 Internet-Facing: HIGH - Remote exploitation without authentication on publicly accessible endpoints

🏢 Internal Only: MEDIUM - Still exploitable from internal networks but requires network access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit available on GitHub, simple XXE payloads can be used

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown - vendor unresponsive

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Consider upgrading to any version above 9.0.0 if available, or implement workarounds.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Block or disable the /x_program_center/jaxrs/mpweixin/check endpoint

# Configure web server (nginx example):
location /x_program_center/jaxrs/mpweixin/check { deny all; }
# Configure application firewall to block POST to this path

Configure XML parser security

all

Disable external entity processing in XML parsers

# Java example for DocumentBuilderFactory:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

🧯 If You Can't Patch

Implement WAF rules to block XXE patterns in POST requests to vulnerable endpoint
Restrict network access to O2OA instances using firewall rules

🔍 How to Verify

Check if Vulnerable:

Send a test XXE payload to http://[target]/x_program_center/jaxrs/mpweixin/check and check for file disclosure

Check Version:

Check O2OA version in web interface or configuration files

Verify Fix Applied:

Test with same XXE payload - should return error or no file content

📡 Detection & Monitoring

Log Indicators:

POST requests to /x_program_center/jaxrs/mpweixin/check with XML content
XML parsing errors in application logs
File read attempts in system logs

Network Indicators:

HTTP POST requests containing XML with DOCTYPE declarations or external entity references

SIEM Query:

http.method:POST AND http.uri:"/x_program_center/jaxrs/mpweixin/check" AND (http.content_type:"application/xml" OR http.content_type:"text/xml")

📊 Metadata

CVE ID: CVE-2026-2074

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-610

EPSS Score: 0.06% exploit probability (18.4th percentile)

Published: February 7, 2026

Last Updated: February 17, 2026

🔗 References

https://github.com/SourByte05/SourByte-Lab/issues/7 Exploit,Issue Tracking,Mitigation,Third Party Advisory
https://vuldb.com/?ctiid.344640 Permissions Required,VDB Entry
https://vuldb.com/?id.344640 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.745486 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.745489 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2074, you might also want to check these: