CVE-2025-46554

Description

### Impact Anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint. It's not filtering the result depending on current user rights, a not authenticated user could exploit this even in a totally private wiki. To reproduce: * remove view from guest on the whole wiki * logout * access http://127.0.0.1:8080/xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments You get a list of attachments, while the expected result should be an empty list. ### Patches This vulnerability has been fixed in XWiki 14.10.22, 15.10.12, 16.7.0-rc-1 and 16.4.3. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-22424 * https://jira.xwiki.org/browse/XWIKI-22427 * https://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342#diff-0 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected]) ### Attribution Issue reported by [Lukas Monert](https://github.com/LMonert).

Affected packages (1)

• Maven/org.xwiki.platform:xwiki-platform-rest-server>= 1.8.1, < 14.10.22

CVSS scores

References (8)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-46554
• PATCHhttps://github.com/xwiki/xwiki-platform
• WEBhttps://github.com/xwiki/xwiki-platform/commit/37ecea84fdd053c33733c2ae9a0778bf98eae608
• WEBhttps://github.com/xwiki/xwiki-platform/commit/a43e933ddeda17dad1772396e1757998260e9342
• WEBhttps://github.com/xwiki/xwiki-platform/commit/c02ce7843a39851865b9d7b6132e32fdd21e3856
• WEBhttps://github.com/xwiki/xwiki-platform/security/advisories/GHSA-r5cr-xm48-97xp
• WEBhttps://jira.xwiki.org/browse/XWIKI-22424
• WEBhttps://jira.xwiki.org/browse/XWIKI-22427