CVE-2025-46554: 
Java vulnerability analysis and mitigation

XWiki, a generic wiki platform, was found to contain a Missing Authorization vulnerability (CVE-2025-46554) that affects versions from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0. The vulnerability was disclosed on April 30, 2025, and has been patched in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0 (GitHub Advisory).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 base score of 5.3 (Medium). The security flaw allows unauthorized access to attachment metadata in the wiki through the wiki attachment REST endpoint, with no filtering of results based on user rights. This means even unauthenticated users can access this information in a private wiki (GitHub Advisory, NVD).

The vulnerability enables unauthorized users to access metadata of any attachment in the wiki, including sensitive information such as hierarchy, file names, page naming, and authors. While this does not grant access to the actual attachment contents, it can reveal sensitive information about the wiki's structure and users (XWIKI Issue).

The only known mitigation is to upgrade to the patched versions: 14.10.22, 15.10.12, 16.4.3, or 16.7.0. No alternative workarounds are available (GitHub Advisory).