CVE-2025-29926
Published: 19 March 2025
Summary
CVE-2025-29926 is a critical-severity Improper Authorization (CWE-285) vulnerability in Xwiki Xwiki. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations in the WikiManager REST API to block unauthorized wiki creation and subsequent administrator privilege escalation by any user.
Requires timely identification, reporting, and patching of the improper authorization flaw to fixed REST module versions (15.10.15, 16.4.6, 16.10.0), eliminating the vulnerability.
Employs least privilege to restrict unauthenticated users from gaining unnecessary administrator rights on newly created wikis within the XWiki farm.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in a public-facing WikiManager REST API, directly enabling remote unauthenticated exploitation to create wikis and gain admin privileges.
NVD Description
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the…
more
farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
Deeper analysisAI
CVE-2025-29926 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting the XWiki Platform, a generic wiki platform, specifically in its WikiManager REST API within the REST module. The flaw, tied to CWE-285 (Improper Authorization) and CWE-862 (Missing Authorization), exists in versions prior to 15.10.15, 16.4.6, and 16.10.0. It enables unauthorized wiki creation where the attacker gains administrator privileges. Note that the WikiManager REST API is not included by default in XWiki Standard and must be manually installed via the extension manager.
Any unauthenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to create a new wiki on the XWiki farm, self-escalate to administrator rights on that wiki, and subsequently launch further attacks across the farm, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).
The issue has been addressed in patches for the REST module at versions 15.10.15, 16.4.6, and 16.10.0. Official advisories, including the XWiki security advisory (GHSA-gfp2-6qhm-7x43), the related Jira ticket (XWIKI-22490), and the patching commit (82aa670106c7f5e6238ca6ed59a52d1800e05b99), recommend upgrading to these fixed versions for mitigation.
Details
- CWE(s)