Vulnerability in XWiki Platform Allows Unauthorized Admin Access via REST API
CVE-2025-29926
Summary
The XWiki Platform allows unauthorized users to exploit the WikiManager REST API, leading to the capability to create a new wiki and elevate their privileges to that of an administrator. This flaw poses significant risks, as it permits malicious users to perform unauthorized actions across the wiki farm. To mitigate this vulnerability, users must update to versions 15.10.15, 16.4.6, or 16.10.0, where the issue has been addressed. Note that the REST API is not included in the standard installation and requires manual installation through the extension manager.
Affected Version(s)
xwiki-platform >= 5.4-rc-1, < 15.10.15 < 5.4-rc-1, 15.10.15
xwiki-platform >= 16.0.0-rc-1, < 16.4.6 < 16.0.0-rc-1, 16.4.6
xwiki-platform >= 16.5.0-rc-1, < 16.10.0 < 16.5.0-rc-1, 16.10.0
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved