High severityNVD Advisory· Published Mar 19, 2025· Updated Mar 19, 2025

The WikiManager REST API allows any user to create wikis

CVE-2025-29926

Description

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager. The problem has been patched in versions 15.10.15, 16.4.6 and 16.10.0 of the REST module.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.xwiki.platform:xwiki-platform-wiki-rest-defaultMaven	>= 5.4-rc-1, < 15.10.15	15.10.15
org.xwiki.platform:xwiki-platform-wiki-rest-defaultMaven	>= 16.0.0-rc-1, < 16.4.6	16.4.6
org.xwiki.platform:xwiki-platform-wiki-rest-defaultMaven	>= 16.5.0-rc-1, < 16.10.0	16.10.0

Affected products

Xwiki/Xwiki Platformv5
Range: >= 5.4-rc-1, < 15.10.15

Patches

82aa670106c7

XWIKI-22490: Missing checks in WikiManager REST API

https://github.com/xwiki/xwiki-platformSimon UrliNov 21, 2024via ghsa

commit

2 files changed · +19 −2

xwiki-platform-core/xwiki-platform-wiki/xwiki-platform-wiki-rest/xwiki-platform-wiki-rest-default/src/main/java/org/xwiki/wiki/rest/internal/DefaultWikiManagerREST.java

+12 −1 modified

@@ -25,11 +25,13 @@
 import javax.inject.Named;
 import javax.ws.rs.POST;
 import javax.ws.rs.QueryParam;
+import javax.ws.rs.WebApplicationException;
 import javax.ws.rs.core.Response;
 import javax.ws.rs.core.UriBuilder;
 
 import org.xwiki.component.annotation.Component;
 import org.xwiki.model.reference.EntityReferenceSerializer;
+import org.xwiki.model.reference.WikiReference;
 import org.xwiki.rest.Relations;
 import org.xwiki.rest.XWikiResource;
 import org.xwiki.rest.XWikiRestException;
@@ -42,6 +44,8 @@
 import org.xwiki.rest.resources.wikis.WikiResource;
 import org.xwiki.rest.resources.wikis.WikiSearchQueryResource;
 import org.xwiki.rest.resources.wikis.WikiSearchResource;
+import org.xwiki.security.authorization.AuthorizationManager;
+import org.xwiki.security.authorization.Right;
 import org.xwiki.wiki.descriptor.WikiDescriptor;
 import org.xwiki.wiki.descriptor.WikiDescriptorManager;
 import org.xwiki.wiki.manager.WikiManager;
@@ -73,12 +77,19 @@ public class DefaultWikiManagerREST extends XWikiResource implements WikiManager
     @Inject
     private EntityReferenceSerializer<String> entityReferenceSerializer;
 
+    @Inject
+    private AuthorizationManager authorizationManager;
+
     @Override
     @POST
     public Response createWiki(@QueryParam("template") String template, Wiki wiki) throws XWikiRestException
     {
         XWikiContext xcontext = getXWikiContext();
         WikiDescriptor descriptor = null;
+        WikiReference mainWikiReference = new WikiReference(wikiDescriptorManager.getMainWikiId());
+        if (!this.authorizationManager.hasAccess(Right.CREATE_WIKI, xcontext.getUserReference(), mainWikiReference)) {
+            throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+        }
 
         try {
             // Find the wiki owner
@@ -132,7 +143,7 @@ public Response createWiki(@QueryParam("template") String template, Wiki wiki) t
      * @param description the wiki description.
      * @return the wiki model object.
      */
-    public static Wiki createWiki(ObjectFactory objectFactory, URI baseUri, String wikiName, String owner,
+    private static Wiki createWiki(ObjectFactory objectFactory, URI baseUri, String wikiName, String owner,
             String description)
     {
         Wiki wiki = objectFactory.createWiki().withId(wikiName).withName(wikiName).withOwner(owner)

xwiki-platform-core/xwiki-platform-wiki/xwiki-platform-wiki-test/xwiki-platform-wiki-test-docker/src/test/it/org/xwiki/wiki/test/ui/WikiManagerRestIT.java

+7 −1 modified

@@ -47,14 +47,20 @@ class WikiManagerRestIT
     @Order(1)
     void testCreateWiki(TestUtils setup) throws Exception
     {
+        setup.createUser("CreateWikiTest", "CreateWikiTestPWD", null);
+        setup.login("CreateWikiTest", "CreateWikiTestPWD");
         String wikiId = "foo";
 
         Wiki wiki = new Wiki();
         wiki.setId(wikiId);
+        wiki.setName("test");
+        wiki.setName("Some description");
+        PostMethod postMethod = setup.rest().executePost(WikiManagerREST.class, wiki);
+        assertEquals(HttpStatus.SC_UNAUTHORIZED, postMethod.getStatusCode());
 
         // Need admin right to create a wiki
         setup.setDefaultCredentials(TestUtils.SUPER_ADMIN_CREDENTIALS);
-        PostMethod postMethod = setup.rest().executePost(WikiManagerREST.class, wiki);
+        postMethod = setup.rest().executePost(WikiManagerREST.class, wiki);
         assertEquals(HttpStatus.SC_CREATED, postMethod.getStatusCode());
 
         try (InputStream stream = postMethod.getResponseBodyAsStream()) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-gfp2-6qhm-7x43ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-29926ghsaADVISORY
github.com/xwiki/xwiki-platform/commit/82aa670106c7f5e6238ca6ed59a52d1800e05b99ghsax_refsource_MISCWEB
github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43ghsax_refsource_CONFIRMWEB
jira.xwiki.org/browse/XWIKI-22490ghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000