CVE-2025-29926

CVE-2025-29926 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting the XWiki Platform, a generic wiki platform, specifically in its WikiManager REST API within the REST module. The flaw, tied to CWE-285 (Improper Authorization) and CWE-862 (Missing Authorization), exists in versions prior to 15.10.15, 16.4.6, and 16.10.0. It enables unauthorized wiki creation where the attacker gains administrator privileges. Note that the WikiManager REST API is not included by default in XWiki Standard and must be manually installed via the extension manager.

Any unauthenticated user can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to create a new wiki on the XWiki farm, self-escalate to administrator rights on that wiki, and subsequently launch further attacks across the farm, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).

The issue has been addressed in patches for the REST module at versions 15.10.15, 16.4.6, and 16.10.0. Official advisories, including the XWiki security advisory (GHSA-gfp2-6qhm-7x43), the related Jira ticket (XWIKI-22490), and the patching commit (82aa670106c7f5e6238ca6ed59a52d1800e05b99), recommend upgrading to these fixed versions for mitigation.