CVE-2025-46554: XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
(updated )
Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It’s not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki.
To reproduce:
- remove view from guest on the whole wiki
- logout
- access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments
You get a list of attachments, while the expected result should be an empty list.
References
- github.com/advisories/GHSA-r5cr-xm48-97xp
- github.com/xwiki/xwiki-platform
- github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae608
- github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342
- github.com/xwiki/xwiki-platform/commit/c02ce7843a39851865b9d7b6132e32fdd21e3856
- github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xp
- jira.xwiki.org/browse/XWIKI-22424
- jira.xwiki.org/browse/XWIKI-22427
- nvd.nist.gov/vuln/detail/CVE-2025-46554
Code Behaviors & Features
Detect and mitigate CVE-2025-46554 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →