Critical severityOSV Advisory· Published Oct 6, 2025· Updated Apr 15, 2026
CVE-2025-49594
CVE-2025-49594
Description
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.contrib.oidc:oidc-authenticatorMaven | >= 2.17.1, < 2.18.2 | 2.18.2 |
Affected products
2- Range: oidc-2.17.1, oidc-2.17.2, oidc-2.17.3, …
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-f2hf-pfrj-vrm7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49594ghsaADVISORY
- github.com/xwiki-contrib/oidc/commit/d90d717172283aaa96bb5bb44e357f910ae64adbnvdWEB
- github.com/xwiki-contrib/oidc/security/advisories/GHSA-f2hf-pfrj-vrm7nvdWEB
- jira.xwiki.org/browse/OIDC-240nvdWEB
- www.vicarius.io/vsociety/posts/cve-2025-49594-detect-xwiki-vulnerabilitynvdWEB
- www.vicarius.io/vsociety/posts/cve-2025-49594-mitigate-xwiki-vulnerabilitynvdWEB
News mentions
0No linked articles in our index yet.