XWiki view file macro: User can view content of office file without view rights on the attachment
Description
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched in version 1.27.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-65089 is a privilege escalation in XWiki Remote Macros where a user with no view rights can see an office attachment via the view file macro.
Vulnerability
CVE-2025-65089 affects XWiki Remote Macros (Pro Macros), specifically the view file macro. Prior to version 1.27.0, this macro does not properly enforce access controls when displaying office attachments [1][3]. If an attachment is stored on a page with restricted view rights, the macro may still render its content on a public page [3].
Exploitation
An attacker with edit rights on a public page can invoke the view file macro and point it to an attachment on a restricted page [3]. The macro then renders the attachment content regardless of the viewer's permissions [3]. The attack requires knowledge of the attachment reference and the ability to modify a page [3].
Impact
An attacker who can edit a public XWiki page can view the content of office attachments from pages they should not have access to [3]. This can lead to the leak of private or sensitive data [3].
Mitigation
The vulnerability is patched in version 1.27.0 of the XWiki Remote Macros [1]. No workaround is available [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.xwiki.pro:xwiki-pro-macros-uiMaven | < 1.27.0 | 1.27.0 |
Affected products
2- Range: <1.27.0
- xwikisas/xwiki-pro-macrosv5Range: < 1.27.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-8c52-x9w7-vc95ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-65089ghsaADVISORY
- github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-8c52-x9w7-vc95ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.