CVE-2025-29926
📋 TL;DR
This vulnerability allows any user to exploit the WikiManager REST API in XWiki Platform to create a new wiki and gain administrator privileges. This affects XWiki installations where the REST module is manually installed through the extension manager. The vulnerability enables privilege escalation and subsequent attacks on the entire wiki farm.
💻 Affected Systems
- XWiki Platform
📦 What is this software?
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
Xwiki by Xwiki
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full administrative control over the XWiki farm, allowing data theft, content manipulation, installation of malicious extensions, and complete system compromise.
Likely Case
Unauthorized users create new wikis with administrative privileges, leading to unauthorized content creation, privilege escalation, and potential lateral movement within the wiki farm.
If Mitigated
With proper access controls and network segmentation, impact is limited to the specific wiki instance, but administrative privileges could still be obtained.
🎯 Exploit Status
The vulnerability allows any user (including unauthenticated if REST API is exposed) to exploit the WikiManager API endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: REST module versions 15.10.15, 16.4.6, or 16.10.0
Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-gfp2-6qhm-7x43
Restart Required: Yes
Instructions:
1. Update the REST module to version 15.10.15, 16.4.6, or 16.10.0 via Extension Manager. 2. Restart XWiki application server. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable WikiManager REST API
allRemove or disable the vulnerable REST API endpoint
Remove the REST module via Extension Manager or restrict access to /rest/wikis endpoint
Network Access Control
allRestrict network access to the REST API endpoints
Configure firewall rules to block external access to /rest/* endpoints
🧯 If You Can't Patch
- Implement strict network segmentation to isolate XWiki instances
- Enable detailed logging and monitoring for REST API access attempts
🔍 How to Verify
Check if Vulnerable:
Check if REST module is installed and version is below 15.10.15, 16.4.6, or 16.10.0 via Extension Manager interfaceCheck Version:
Check XWiki Administration → Extension Manager → Installed Extensions → REST moduleVerify Fix Applied:
Verify REST module version shows 15.10.15, 16.4.6, or 16.10.0 in Extension Manager📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /rest/wikis endpoint
- Multiple wiki creation attempts from single user
- Unauthorized access to administrative functions
Network Indicators:
- HTTP POST requests to /rest/wikis from unauthorized sources
- Sudden increase in wiki creation activity
SIEM Query:
source="xwiki.log" AND (uri_path="/rest/wikis" OR message="wiki creation" OR message="WikiManager")