Vulnerability in XWiki Platform Allows Unauthorized Admin Access via REST API
CVE-2025-29926

7.9HIGH

Key Information:

Vendor
Xwiki
Status
Xwiki-platform
Vendor
CVE Published:
19 March 2025

Summary

The XWiki Platform allows unauthorized users to exploit the WikiManager REST API, leading to the capability to create a new wiki and elevate their privileges to that of an administrator. This flaw poses significant risks, as it permits malicious users to perform unauthorized actions across the wiki farm. To mitigate this vulnerability, users must update to versions 15.10.15, 16.4.6, or 16.10.0, where the issue has been addressed. Note that the REST API is not included in the standard installation and requires manual installation through the extension manager.

Affected Version(s)

xwiki-platform >= 5.4-rc-1, < 15.10.15 < 5.4-rc-1, 15.10.15

xwiki-platform >= 16.0.0-rc-1, < 16.4.6 < 16.0.0-rc-1, 16.4.6

xwiki-platform >= 16.5.0-rc-1, < 16.10.0 < 16.5.0-rc-1, 16.10.0

References

https://github.com/xwiki/xwiki-platform/security/advisori...
x_refsource_CONFIRM
https://github.com/xwiki/xwiki-platform/commit/82aa670106...
x_refsource_MISC
https://jira.xwiki.org/browse/XWIKI-22490
x_refsource_MISC

CVSS V4

Score:
7.9
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.