CVE-2022-23654 is an authentication bypass vulnerability affecting Wiki.js, a Node.js-based wiki application developed by Requarks. The flaw exists in versions prior to 2.5.276 and involves improper authentication checks related to page editing permissions. Specifically, an authenticated user with write access limited to certain restricted paths can exploit the vulnerability to update pages outside their authorized scope. This occurs because the access control mechanism validates permissions against user-supplied path values rather than the actual path associated with the target page ID. Consequently, by specifying a different page ID while retaining the original path parameter, an attacker can circumvent path-based restrictions and modify unauthorized pages. The vulnerability stems from CWE-287: Improper Authentication, where the system fails to correctly verify user privileges before allowing sensitive operations. The issue was addressed in a commit that changed the access control logic to verify permissions against the actual path linked to the page ID first, and then, if a path change is requested, perform a secondary access control check on the user-provided path before allowing page moves. No known exploits have been reported in the wild, and the vulnerability requires the attacker to be authenticated with write access on at least some restricted paths, limiting the initial attack surface. However, the flaw allows privilege escalation within the application by expanding the scope of pages a user can edit beyond their intended permissions.

For European organizations using Wiki.js for internal documentation, knowledge management, or collaboration, this vulnerability poses a risk of unauthorized content modification. Attackers with limited write permissions could alter or deface pages outside their authorized scope, potentially leading to misinformation, data integrity issues, or disruption of business processes relying on accurate documentation. In regulated industries such as finance, healthcare, or government, unauthorized changes could violate compliance requirements or cause operational risks. Additionally, if Wiki.js is integrated with other systems or used as a source of truth for critical workflows, unauthorized edits could propagate errors or malicious content downstream. Although the vulnerability does not allow unauthenticated access, the requirement for some level of write access means insider threats or compromised user accounts could be leveraged to exploit this flaw. The absence of known active exploits reduces immediate risk but does not eliminate the potential for targeted attacks, especially in sectors with high-value intellectual property or sensitive information stored in wikis.

European organizations should promptly upgrade Wiki.js installations to version 2.5.276 or later, where the vulnerability is fixed. Until upgrades can be applied, administrators should audit user permissions to ensure that write access is strictly limited to trusted users and minimal necessary paths. Implementing multi-factor authentication (MFA) for all users with write permissions can reduce the risk of account compromise. Monitoring and logging page edits with alerts on unusual modification patterns or edits outside typical user scopes can help detect exploitation attempts. Organizations should also consider isolating Wiki.js instances from public networks or restricting access via VPN or IP whitelisting to reduce exposure. Regularly reviewing and tightening access control policies within Wiki.js, including path-based restrictions, will help prevent privilege escalation. Finally, integrating Wiki.js with centralized identity and access management (IAM) solutions can improve oversight and enforce consistent authentication policies.