Vulnerability Database

299,174

Total vulnerabilities in the database

CVE-2025-49594

Impact

Anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users).

Patches

Version 2.18.2.

Workarounds

The only workaround is to disable token access.

References

https://jira.xwiki.org/browse/OIDC-240
https://github.com/xwiki-contrib/oidc/commit/d90d717172283aaa96bb5bb44e357f910ae64adb

For more information

If you have any questions or comments about this advisory:

Open an issue in Jira XWiki.org
Email us at Security Mailing List

Published: Oct 6, 2025
Updated: Oct 7, 2025
CVE: CVE-2025-49594
GHSA: GHSA-f2hf-pfrj-vrm7
Severity: Critical
Exploit:

No technical information available.

CWEs:

CWE-285

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
org.xwiki.contrib.oidc / oidc-authenticator	2.17.1	2.18.2

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime