CVE-2025-49594
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-06

Last updated on: 2025-10-23

Assigner: GitHub, Inc.

Description
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-06
Last Modified
2025-10-23
Generated
2026-06-16
AI Q&A
2025-10-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-49594
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
xwiki xwiki 2.18.2
xwiki xwiki 2.17.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-49594 is a critical security flaw in the XWiki OpenID Connect (OIDC) provider component affecting versions 2.17.1 up to but not including 2.18.2. The vulnerability allows any user with VIEW access to another user's profile to create an authentication token for that user. Since user profiles are commonly viewable by other registered users, if the XWiki instance permits token-based authentication, an attacker can authenticate as any user without needing privileges or user interaction. This occurs due to improper authorization checks that fail to verify permissions correctly before allowing token creation. [1]

Impact Analysis

This vulnerability can have a high impact on confidentiality, integrity, and availability of the affected system. An attacker exploiting this flaw can impersonate any user by creating authentication tokens without authorization, thereby gaining unauthorized access to sensitive information, modifying data, or disrupting services. This compromises user authentication and access controls, potentially leading to full system compromise depending on the privileges of the impersonated user. [1]

Detection Guidance

This vulnerability can be detected by checking if your XWiki instance is running a vulnerable version of the OIDC provider component (versions 2.17.1 up to but not including 2.18.2) and if token authentication is enabled. There are no specific network detection commands provided, but you can verify the version of the xwiki-contrib/oidc package and check if token authentication is enabled in your configuration. Additionally, reviewing access logs for unusual token creation activity by users with only VIEW access could help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to disable token authentication in your XWiki instance until you can upgrade to version 2.18.2 or later, which contains the patch for this vulnerability. Disabling token access prevents unauthorized token creation by users with only VIEW access. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-49594. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart