Home > Vulnerability Database > CVE-2025-49594

Mend.io Vulnerability Database

CVE-2025-49594

Good to know:

Date: October 6, 2025

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.

Severity Score

9.8

Related Resources (8)

Url: https://github.com/xwiki-contrib/oidc/security/advisories/GHSA-f2hf-pfrj-vrm7

Url: https://github.com/xwiki-contrib/oidc/commit/d90d717172283aaa96bb5bb44e357f910ae64adb

Url: https://github.com/xwiki-contrib/oidc

Url: https://www.vicarius.io/vsociety/posts/cve-2025-49594-detect-xwiki-vulnerability

Url: https://www.vicarius.io/vsociety/posts/cve-2025-49594-mitigate-xwiki-vulnerability

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-49594

Url: https://jira.xwiki.org/browse/OIDC-240

Url: https://www.mend.io/vulnerability-database/CVE-2025-49594

Severity Score

9.8

Weakness Type (CWE)

Improper Authorization

CWE-285

Top Fix

Upgrade Version

Upgrade to version org.xwiki.contrib.oidc:oidc-authenticator:2.18.2

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-49594

Good to know:

Date: October 6, 2025

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?