CVE-2025-49594

Description

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.

Weakness Type (CWE)

CWE-285 CWE-285

References

Other References

https://github.com/xwiki-contrib/oidc/commit/d90d717172283aaa96bb5bb44e357f910ae64adb https://github.com/xwiki-contrib/oidc/security/advisories/GHSA-f2hf-pfrj-vrm7 https://jira.xwiki.org/browse/OIDC-240 https://www.vicarius.io/vsociety/posts/cve-2025-49594-detect-xwiki-vulnerability https://www.vicarius.io/vsociety/posts/cve-2025-49594-mitigate-xwiki-vulnerability

Frequently Asked Questions

What is CVE-2025-49594? +

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.

How do I check if I'm vulnerable to CVE-2025-49594? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-3013

Insecure Direct Object References (IDOR) in access control in Customer Portal before 2.1.4 on NightWolf Penetration Testing allows an attacker …

CVE-2025-3014

Insecure Direct Object References (IDOR) in access control in Tracking 2.1.4 on NightWolf Penetration Testing allows an attacker to access …

CVE-2025-27509

fleetdm/fleet is an open source device management, built on osquery. In vulnerable versions of Fleet, an attacker could craft a …

CVE-2024-26291

An Unauthenticated Arbitrary File Read vulnerability affects the Agent when installed on a system. The parameter filename does not validate …

CVE-2025-61928

Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or …

CVE-2024-52528

Budget Control Gateway acts as an entry point for incoming requests and routes them to the appropriate microservices for Budget …