Improper access control in XWiki platform - CVE-2025-49584
Published: May 5, 2026
Vulnerability identifier: #VU129880
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2025-49584
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: XWiki
Affected software:
XWiki platform
XWiki platform
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper access control in the class property values REST API when handling requests for page property values. A remote attacker can send a specially crafted request to disclose sensitive information.
Only page titles are exposed, one title per request, and exploitation requires knowledge of the target page reference. Fully private wikis are not affected.
How to mitigate CVE-2025-49584
Install security update from vendor's website.