Vulnerability Description
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.
Related Weaknesses (CWE)
References
- https://github.com/xwiki-contrib/oidc/commit/d90d717172283aaa96bb5bb44e357f910ae
- https://github.com/xwiki-contrib/oidc/security/advisories/GHSA-f2hf-pfrj-vrm7
- https://jira.xwiki.org/browse/OIDC-240
- https://www.vicarius.io/vsociety/posts/cve-2025-49594-detect-xwiki-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-49594-mitigate-xwiki-vulnerabili
FAQ
What is CVE-2025-49594?
CVE-2025-49594 is a documented vulnerability. XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for th...
How severe is CVE-2025-49594?
CVSS scoring is not yet available for CVE-2025-49594. Check NVD for updates.
Is there a patch for CVE-2025-49594?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.