OpenID Connect Token Creation Vulnerability in XWiki OIDC
CVE-2025-49594

9.2CRITICAL

Key Information:

Vendor: Xwiki-contrib
Status: Oidc
Vendor: CVE Published:; 6 October 2025

🔔 Create Xwiki-contrib Vulnerability Alert

What is CVE-2025-49594?

XWiki OIDC features various tools for handling the OpenID Connect protocol. In versions from 2.17.1 to below 2.18.2, a user with VIEW access to another user's profile can generate that user's token if token authentication is enabled. This allows unauthorized access under certain configurations, potentially exposing sensitive user functionalities. To mitigate this issue, it's recommended to upgrade to version 2.18.2 or disable token access.