Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-46557

CVE-2025-46557: XWiki Authentication Bypass Vulnerability

CVE-2025-46557 is an authentication bypass vulnerability in XWiki that allows unauthorized users to switch authenticators and potentially disrupt SSO configurations. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-46557 Overview

CVE-2025-46557 is a Missing Authorization vulnerability (CWE-862) in XWiki, a generic wiki platform. This vulnerability allows unauthorized users to access the authentication administration page and potentially switch the active authenticator, which could lead to authentication bypass or denial of service conditions.

In vulnerable versions, any user who can access pages located in the XWiki space (by default, anyone) can access the page XWiki.Authentication.Administration and, unless an authenticator is explicitly set in xwiki.cfg, switch to another installed authenticator. This broken access control condition enables attackers to manipulate the authentication mechanism of the entire XWiki installation.

Critical Impact

Unauthorized access to authentication configuration could allow attackers to disable SSO authentication, potentially locking out legitimate users or enabling authentication bypass scenarios.

Affected Products

  • XWiki versions 15.3-rc-1 to before 15.10.14
  • XWiki versions 16.0.0-rc-1 to before 16.4.6
  • XWiki versions 16.5.0-rc-1 to before 16.10.0-rc-1

Discovery Timeline

  • 2025-04-30 - CVE-2025-46557 published to NVD
  • 2025-09-03 - Last updated in NVD database

Technical Details for CVE-2025-46557

Vulnerability Analysis

This vulnerability stems from a missing authorization check on the XWiki.Authentication.Administration page. The page, which controls the active authenticator for the entire XWiki instance, fails to verify whether the accessing user has administrative privileges before allowing configuration changes.

The practical impact depends on the XWiki deployment configuration. By default, XWiki ships with only the Standard XWiki Authenticator, limiting exploitation potential. However, in environments where SSO authenticators such as OIDC or LDAP are installed and actively used, an attacker can switch back to the standard authenticator. This effectively breaks authentication for users who don't have stored passwords in XWiki, as SSO-authenticated users typically rely on external identity providers rather than local credentials.

The attack is particularly impactful in enterprise environments where LDAP or OIDC authentication is the primary access method. Switching authenticators could result in a denial-of-service condition where legitimate users cannot log in, or in some configurations, could enable unauthorized access if the standard authenticator accepts weaker credentials.

Root Cause

The root cause is a missing authorization check (CWE-862) on the XWiki.Authentication.Administration page. The page grants access to authentication configuration functionality without verifying that the requesting user has appropriate administrative privileges. By default, pages in the XWiki space are accessible to all users, making this sensitive configuration page available to anyone who can access the wiki.

Attack Vector

The attack is network-based and requires no authentication. An attacker can directly navigate to XWiki.Authentication.Administration and modify the authenticator configuration. The attack flow involves:

  1. Accessing the XWiki instance as an unauthenticated or low-privileged user
  2. Navigating directly to the XWiki.Authentication.Administration page
  3. Selecting a different authenticator from the available options
  4. Saving the configuration to switch the active authentication mechanism

This vulnerability does not require user interaction and can be exploited remotely. The attack complexity is low when alternative authenticators are installed, though exploitation requires the presence of multiple authenticator options.

Detection Methods for CVE-2025-46557

Indicators of Compromise

  • Unexpected changes to the active authenticator in XWiki configuration
  • Access logs showing requests to XWiki.Authentication.Administration from non-administrative users
  • Sudden authentication failures for users relying on SSO (OIDC, LDAP)
  • Configuration audit logs indicating authenticator changes by unauthorized accounts

Detection Strategies

  • Monitor web server access logs for requests to /xwiki/bin/view/XWiki/Authentication/Administration from suspicious sources
  • Implement alerting for configuration changes to the authentication subsystem
  • Review XWiki audit logs for unauthorized access to administration pages
  • Deploy web application firewall rules to restrict access to sensitive XWiki administrative pages

Monitoring Recommendations

  • Enable verbose logging for XWiki authentication-related configuration changes
  • Set up alerts for any modifications to the xwiki.cfg authenticator settings
  • Monitor for sudden spikes in authentication failures that may indicate authenticator switching
  • Regularly audit user access to pages in the XWiki administrative namespace

How to Mitigate CVE-2025-46557

Immediate Actions Required

  • Upgrade to XWiki version 15.10.14, 16.4.6, or 16.10.0-rc-1 or later immediately
  • Review access logs to determine if the XWiki.Authentication.Administration page has been accessed by unauthorized users
  • Verify the current authenticator configuration matches expected settings
  • If SSO is in use, confirm it is still the active authenticator

Patch Information

XWiki has released patches addressing this vulnerability. The fix is included in versions 15.10.14, 16.4.6, and 16.10.0-rc-1. The patch implements proper authorization checks to ensure only administrators can access and modify authentication configuration.

For detailed patch information, see:

Workarounds

  • Restrict access to the XWiki.Authentication.Administration page by modifying page permissions to allow only administrators
  • Explicitly set the authenticator in xwiki.cfg to prevent runtime switching
  • Use a reverse proxy or web application firewall to block access to sensitive administrative pages from untrusted sources
  • If upgrading is not immediately possible, temporarily disable or remove additional authenticator extensions until the patch can be applied
bash
# Configuration example: Restrict authenticator in xwiki.cfg
# Add or modify the following line to lock the authenticator
xwiki.authentication.authclass=com.xpn.xwiki.user.impl.xwiki.XWikiAuthServiceImpl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne