CVE-2025-49594: 
Java vulnerability analysis and mitigation

CVE-2025-49594 affects XWiki OIDC, a tool for manipulating OpenID Connect protocol in XWiki. The vulnerability was discovered and disclosed on October 6, 2025, affecting versions 2.17.1 and prior to version 2.18.2. The vulnerability allows anyone with VIEW access to a user profile to create authentication tokens for that user, potentially enabling unauthorized authentication (GitHub Advisory).

The vulnerability is classified as a Critical severity issue with a CVSS v4.0 base score of 9.2. The vulnerability stems from improper authorization checks (CWE-285) when handling token creation. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) and no user interaction (UI:N). The vulnerability can result in high impacts on confidentiality, integrity, and availability of the vulnerable system (VC:H/VI:H/VA:H) (GitHub Advisory).

If an XWiki instance is configured to allow token authentication, this vulnerability enables attackers with view access to user profiles to create authentication tokens for any viewable user. Since user profiles are commonly viewable by registered users, this could lead to widespread unauthorized access and potential impersonation of legitimate users (GitHub Advisory).

A patch has been released in version 2.18.2 to address this vulnerability. As a temporary workaround, administrators can disable token access to prevent exploitation. Users are strongly advised to upgrade to version 2.18.2 or implement the recommended workaround (GitHub Advisory).