Critical severityOSV Advisory· Published Oct 6, 2025· Updated Apr 15, 2026
CVE-2025-49594
CVE-2025-49594
Description
XWiki OIDC has various tools to manipulate OpenID Connect protocol in XWiki. Starting in version 2.17.1 and prior to version 2.18.2, anyone with VIEW access to a user profile can create a token for that user. If that XWiki instance is configured to allow token authentication, it allows authentication with any user (since users are very commonly viewable, at least to other registered users). Version 2.18.2 contains a patch. As a workaround, disable token access.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.contrib.oidc:oidc-authenticatorMaven | >= 2.17.1, < 2.18.2 | 2.18.2 |
Affected products
1- Range: oidc-2.17.1, oidc-2.17.2, oidc-2.17.3, …
Patches
2f01756b05264d90d71717228OIDC-240: Improve token manager
3 files changed · +32 −6
oidc-provider/src/main/resources/templates/oidc/provider/userapplications.vm+3 −1 modified@@ -24,6 +24,8 @@ #end {{/velocity}} +$xcontext.userReference + {{velocity}} #set ($discard = $xwiki.jsrx.use('templates/oidc/provider/userapplications.js')) #set ($obj = $doc.getObject("XWiki.XWikiUsers")) @@ -33,7 +35,7 @@ {{warning}} {{translation key="xe.admin.users.applyonusers"/}} {{/warning}} -#elseif (!$xcontext.userReference.equals($doc.documentReference) && !$services.security.authorization.hasAccess('programming')) +#elseif (!$xcontext.userReference.equals($doc.documentReference) && !$services.security.authorization.hasAccess('programming', $xcontext.userReference, $doc.documentReference)) {{error}} {{translation key="notallowed"/}} {{/error}}
oidc-test/oidc-test-pageobjects/src/main/java/org/xwiki/contrib/oidc/test/po/OIDCApplicationsUserProfilePage.java+8 −0 modified@@ -45,6 +45,14 @@ public static OIDCApplicationsUserProfilePage gotoPage(String username) return new OIDCApplicationsUserProfilePage(username); } + /** + * @since 2.18.2 + */ + public static boolean isAllowed() + { + return getUtil().getDriver().hasElementWithoutWaiting(By.id("input_application_name")); + } + public OIDCApplicationsUserProfilePage(String username) { super(username);
oidc-test/oidc-test-tests/src/test/it/org/xwiki/oidc/test/OIDCTest.java+21 −5 modified@@ -23,6 +23,7 @@ import java.net.URLConnection; import java.util.Arrays; +import org.apache.commons.httpclient.UsernamePasswordCredentials; import org.junit.BeforeClass; import org.junit.Test; import org.openqa.selenium.By; @@ -32,10 +33,13 @@ import org.xwiki.test.integration.XWikiExecutor; import org.xwiki.test.ui.AbstractTest; import org.xwiki.test.ui.PersistentTestContext; +import org.xwiki.test.ui.TestUtils; import org.xwiki.test.ui.po.LoginPage; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; /** * Verify the document cache update based on distributed events. @@ -53,7 +57,7 @@ public static void init() throws Exception // This will not be null if we are in the middle of allTests if (context == null) { PersistentTestContext persistentTestContext = - new PersistentTestContext(Arrays.asList(new XWikiExecutor(0)/*, new XWikiExecutor(1)*/)); + new PersistentTestContext(Arrays.asList(new XWikiExecutor(0)/* , new XWikiExecutor(1) */)); initializeSystem(persistentTestContext); // Start XWiki @@ -84,9 +88,9 @@ private void cleanupClient() throws Exception logout(0); } - private void gotToClientLogin() + private void gotToLogin(int index) { - getUtil().switchExecutor(0); + getUtil().switchExecutor(index); getUtil() .gotoPage(getUtil().getBaseBinURL() + "login/XWiki/XWikiLogin?xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F"); } @@ -107,6 +111,13 @@ private void logout(int index) getUtil().gotoPage(getURL(index, "/bin/logout/XWiki/XWikiLogout?xredirect=%2Fxwiki%2Fbin%2Fview%2FMain%2F")); } + private void login(int index, UsernamePasswordCredentials credentials) + { + gotToLogin(index); + LoginPage loginPage = new LoginPage(); + loginPage.loginAs(credentials.getUserName(), credentials.getPassword()); + } + private String getHomeURL(int index) { return getURL(index, "/bin/view/Main/"); @@ -135,8 +146,13 @@ public void authenticate() throws Exception getUtil().recacheSecretToken(); getUtil().createUser("provideruser", "providerpassword", null); + // Go to token management of provideruser + getUtil().gotoPage(getURL(1, "/bin/view/XWiki/provideruser?category=userapplications")); + // Make sure guest user is not allowed to access the user token management + assertFalse(OIDCApplicationsUserProfilePage.isAllowed()); + // Login on the client - gotToClientLogin(); + gotToLogin(0); // We are asked for the provider to use, set it OIDCClientProviderPage providerPage = new OIDCClientProviderPage(); @@ -172,7 +188,7 @@ public void authenticate() throws Exception assertNull(getCurrentUserReference()); // Login again - gotToClientLogin(); + gotToLogin(0); // We are asked for the provider to use, set it providerPage = new OIDCClientProviderPage();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-f2hf-pfrj-vrm7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-49594ghsaADVISORY
- github.com/xwiki-contrib/oidc/commit/d90d717172283aaa96bb5bb44e357f910ae64adbnvdWEB
- github.com/xwiki-contrib/oidc/security/advisories/GHSA-f2hf-pfrj-vrm7nvdWEB
- jira.xwiki.org/browse/OIDC-240nvdWEB
- www.vicarius.io/vsociety/posts/cve-2025-49594-detect-xwiki-vulnerabilitynvdWEB
- www.vicarius.io/vsociety/posts/cve-2025-49594-mitigate-xwiki-vulnerabilitynvdWEB
News mentions
0No linked articles in our index yet.