QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2025-49594

Back to search

CVE-2025-49594

Published: Oct 6, 2025

Modified: Oct 23, 2025

PUBLISHED

Description

XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.

VendorProductVersions

xwiki-contrib

oidc

affected
>= 2.17.1, < 2.18.2

Weaknesses (CWE)

CWE-285

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now