This text was generated using artificial intelligence (AI).In the widely used open-source wiki software DokuWiki is defined as CVE-2026-37106 A reported vulnerability was discussed, which the National Vulnerability Database (NVD) assigned a CVSS score of 9.8 is classified as. Contrary to what was reported initially, it is not related to remote code execution, but rather the ability to create a user account using the registration function (register in inc/auth.php). The manufacturer disputes the classification as a vulnerability: This behavior is intended once the optional self-registration feature is enabled—a feature that, in the default configuration, disabled is. This article provides an objective analysis of the report.
Key Facts:
CVE ID: CVE-2026-37106
Classification: CVSS 9.8 (critical) according to NVD/CISA-ADP – explicitly disputed by the vendor
Type of vulnerability: Unauthorized account creation via the register-Function (CWE-640) – none Remote Code Execution
Prerequisite: Only relevant if optional self-registration is enabled (default: disabled)
Status: Claimed to be intended behavior; no patch announced; no known active exploitation
What CVE-2026-37106 Actually Describes
According to NVD enables the registration feature (register in inc/auth.php) in DokuWiki version 2025-05-14b „Librarian,“ which allows a remote user to create an account. The NVD classifies this as a vulnerability CWE-640 and assigns a CVSS score of 9.8 based on the CISA-ADP enrichment. An initial GitHub advisory that circulated referred to „arbitrary code execution“—this characterization is contradictory and is not supported by the NVD description: The issue involves account creation, not code execution.
Important Note: The DokuWiki developer denies the vulnerability. Self-registration is a documented, optional Feature included in the standard installation disabled is. If it is intentionally enabled, creating accounts is the expected behavior. The high CVSS score (Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) therefore only partially reflects the actual impact of a pure account-based investment and is consequently controversial.
What is the realistic risk?
For installations with disabled Self-registration—the default setting—does not pose any immediate risk based on this report. Where self-registration is enabled, an unregistered user can create an account on their own. Depending on the configuration (such as missing email verification) and the assigned access rights (ACLs), they could thereby gain access to non-public wiki content or features reserved for logged-in users. Contrary to what was originally reported, this vulnerability does not allow for code execution, server takeover, or a ransomware scenario— not derive.
Recommended Actions
Given the disputed classification, a measured, configuration-oriented approach is advisable:
Check the configuration: Check whether self-registration is enabled. In the default configuration, it is disabled—in which case this message does not apply to you.
Secure registration (if used): Restrict registration to trusted users, enable email verification, and review your ACL permissions to ensure that newly created accounts do not have access to sensitive content.
Keep Track of Inventory & Updates: Identify exposed DokuWiki instances and their version numbers, and monitor the official release channels in case the vendor further strengthens the registration logic in the future.
Alignment with Compliance Requirements
Regardless of this specific case, structured vulnerability and configuration management remains at the core of modern security standards: The EU Directive NIS-2 as well as the ISO 27001 (Appendix A, A.8.8) require a defined process for addressing technical vulnerabilities and ensuring secure configurations. A reporting requirement under Art. 33 of the GDPR occurs only if there is actually unauthorized access to personal data—if the DokuWiki instance is configured correctly, this message does not indicate that such access has occurred.
How LocateRisk Creates Transparency
Self-hosted systems such as DokuWiki are often not documented centrally. Continuously monitoring the external attack surface helps keep track of such instances, including their configuration and version status.
External Attack Surface Management (EASM): LocateRisk identifies your organization's publicly accessible systems—including forgotten subdomains, unmanaged cloud assets, and shadow IT. Exposed DokuWiki instances are detected via fingerprinting, allowing you to identify outdated or unnecessarily publicly accessible installations and take steps to secure them.
Continuous Vendor Risk Management (C-VRM): If external service providers or partners operate exposed web applications on your behalf, their security and patching levels can be assessed and tracked through continuous vendor risk management.
LocateRisk is designed as a „Made in Germany“ solution and helps companies comply with GDPR requirements—hosted in certified German data centers with protection against the U.S. Cloud Act.
Sources and further information
NVD/NIST (authoritative classification, status „Disputed“): CVE-2026-37106
LocateRisk identifies your external IT systems and continuously and fully automatically assesses their security. This allows you to detect vulnerabilities before attackers can exploit them.
No. The relevant NVD description refers to creating a user account using the `register` function in `inc/auth.php`, not to code execution. Although an early GitHub advisory mentioned „arbitrary code execution,“ this wording is contradictory and is not supported by the NVD.
Only if you have enabled the optional self-registration feature. In the default configuration, this feature is disabled—in which case this message poses no risk. Check your configuration and the assigned ACL permissions.
No. The vendor disputes the classification as a vulnerability, as this is intended behavior of the optional self-registration feature (NVD status: „Disputed“). Therefore, no security patch has been announced. Mitigation is achieved through configuration—keep self-registration disabled or restrict it.
We use cookies to optimize our website and our service.
Functional
Always active
Technical storage or access is strictly necessary for the lawful purpose of enabling the use of a particular service expressly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a message over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that have not been requested by the subscriber or user.
Statistics
The technical storage or access, which is carried out exclusively for statistical purposes.Technical storage or access used solely for anonymous statistical purposes. Without a subpoena, the voluntary consent of your Internet service provider, or additional records from third parties, information stored or accessed for this purpose alone generally cannot be used to identify you.
Marketing
Technical storage or access is necessary to create user profiles, to send advertisements, or to track the user on a website or across multiple websites for similar marketing purposes.