CVE-2025-29926: 
Java vulnerability analysis and mitigation

XWiki Platform, a generic wiki platform, was found to contain a critical security vulnerability (CVE-2025-29926) discovered on March 19, 2025. Prior to versions 15.10.15, 16.4.6, and 16.10.0, any user could exploit the WikiManager REST API to create a new wiki, where they could become an administrator and perform other attacks on the farm. It's important to note that this REST API is not bundled in XWiki Standard by default and needs to be installed manually through the extension manager (GitHub Advisory).

The vulnerability stems from missing authorization checks in the WikiManager REST API. The issue has been assigned a CVSS v4.0 score of 7.9 (HIGH) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H. The vulnerability is classified as CWE-285 (Improper Authorization) and affects versions after 5.4-rc-1 (GitHub Advisory).

When exploited, this vulnerability allows any user, including unauthenticated users, to create a new wiki where they become the administrator. This elevated access enables the attacker to view all contents, including previously inaccessible pages and sensitive data such as password fields. The attack can be executed even on wikis where read access is denied on all pages, although in such cases, the created wiki might not be accessible (XWIKI Jira).

The vulnerability has been patched in XWiki Platform versions 15.10.15, 16.4.6, and 16.10.0. The fix implements proper authorization checks before allowing wiki creation. There are no workarounds available other than upgrading to a patched version (GitHub Advisory).