Login Sign Up

CVE-2025-46557

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows any user with access to XWiki pages to switch authentication methods, potentially disrupting authentication systems. It affects XWiki installations with specific version ranges where users can access the XWiki space. The impact varies based on installed authenticators.

💻 Affected Systems

Products:
  • XWiki
Versions: 15.3-rc-1 to before 15.10.14, 16.0.0-rc-1 to before 16.4.6, 16.5.0-rc-1 to before 16.10.0-rc-1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to XWiki space pages. Impact depends on installed authenticator extensions.

📦 What is this software?

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

Xwiki by Xwiki

View all CVEs affecting Xwiki →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authentication system disruption causing denial of service or unauthorized access if alternative authenticators with weaker security are available.

🟠

Likely Case

Temporary authentication disruption by switching to incompatible authenticator, requiring administrator intervention to restore service.

🟢

If Mitigated

Minimal impact if only default authenticator is installed or proper access controls are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to XWiki pages but no special privileges beyond default page access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 15.10.14, 16.4.6, or 16.10.0-rc-1

Vendor Advisory: https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-f9c6-2f9p-82jj

Restart Required: Yes

Instructions:

1. Identify current XWiki version. 2. Upgrade to patched version: 15.10.14, 16.4.6, or 16.10.0-rc-1. 3. Restart XWiki service. 4. Verify authentication functionality.

🔧 Temporary Workarounds

Restrict XWiki Space Access

all

Limit access to pages in XWiki space to administrators only

Configure XWiki rights to restrict 'view' and 'edit' permissions on XWiki.* pages to admin users only

Remove Authenticator Switching Page

all

Delete or restrict access to XWiki.Authentication.Administration page

Delete page XWiki.Authentication.Administration or set restrictive permissions

🧯 If You Can't Patch

  • Implement strict access controls on XWiki space pages
  • Monitor authentication logs for unusual authenticator switching attempts

🔍 How to Verify

Check if Vulnerable:

Check XWiki version against affected ranges and verify access to XWiki.Authentication.Administration page

Check Version:

Check XWiki administration interface or xwiki.properties file for version information

Verify Fix Applied:

Confirm version is 15.10.14, 16.4.6, or 16.10.0-rc-1 and test authenticator switching functionality

📡 Detection & Monitoring

Log Indicators:

  • Authentication method change events
  • Access to XWiki.Authentication.Administration page by non-admin users

Network Indicators:

  • Unusual authentication failures following configuration changes

SIEM Query:

source="xwiki" AND (event="authentication_change" OR page="XWiki.Authentication.Administration")

📊 Metadata

CVE ID: CVE-2025-46557
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
EPSS Score: 0.2% exploit probability (41.6th percentile)
Published: April 30, 2025
Last Updated: September 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-46557, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)