CVE-2025-46554
XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API
Description
### Impact Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki. To reproduce: * remove view from guest on the whole wiki * logout * access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments You get a list of attachments, while the expected result should be an empty list. ### Patches This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-22424 * https://jira.xwiki.org/browse/XWIKI-22427 * https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342#diff-0 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:security@xwiki.org) ### Attribution Issue reported by [Lukas Monert](https://github.com/LMonert).
How to fix CVE-2025-46554
To remediate CVE-2025-46554, upgrade the affected package to a fixed version below.
- —upgrade to 14.10.22 or later
Is CVE-2025-46554 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 1.8.1, < 14.10.22