CVE-2025-29926
Published: 19 March 2025
Summary
CVE-2025-29926 is a high-severity Improper Authorization (CWE-285) vulnerability in Xwiki Xwiki. Its CVSS base score is 7.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 18.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
XWiki Platform is affected by an authorization vulnerability in its WikiManager REST API prior to versions 15.10.15, 16.4.6, and 16.10.0. The flaw stems from missing authorization checks (CWE-285 and CWE-862) that allow any user to invoke the API and instantiate a new wiki. The affected component is an optional extension that must be installed manually through the extension manager and is not present in the default XWiki Standard distribution.
An unauthenticated or low-privileged attacker can exploit the issue over the network to create a wiki, elevate themselves to administrator of that wiki, and then leverage the new instance to conduct further attacks against the broader XWiki farm. The CVSS 4.0 score of 7.9 reflects the combination of network attack vector, low complexity, and high subsequent impact on scope, integrity, and availability.
The official XWiki security advisory and the linked GitHub commit indicate that the issue is resolved by upgrading the REST module to one of the three patched releases; administrators are advised to apply the update or remove the WikiManager REST extension if it is not required. The associated EPSS values remain low throughout the observation window and exhibit no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6733
Vulnerability details
XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the…
more
farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in a public-facing WikiManager REST API, directly enabling remote unauthenticated exploitation to create wikis and gain admin privileges.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations in the WikiManager REST API to block unauthorized wiki creation and subsequent administrator privilege escalation by any user.
Requires timely identification, reporting, and patching of the improper authorization flaw to fixed REST module versions (15.10.15, 16.4.6, 16.10.0), eliminating the vulnerability.
Employs least privilege to restrict unauthenticated users from gaining unnecessary administrator rights on newly created wikis within the XWiki farm.