CVE-2022-36090 is a medium-severity improper authorization vulnerability (CWE-285) affecting the XWiki Platform, a widely used generic wiki platform. The vulnerability exists in versions prior to 13.10.5 and 14.3-RC-1, impacting all versions from 1.1 onward until patched. The core issue is that certain resources within XWiki, including the REST API services, do not properly verify the status of user accounts, specifically failing to check if a user is inactive (either not yet activated or disabled). This flaw allows a disabled user to re-enable their own account by making crafted REST calls. Additionally, some resource handlers created by extensions are not protected by default, enabling inactive users to perform unauthorized actions related to those extensions. This vulnerability has existed since at least version 1.1, but its criticality increased in versions 11.3-RC-1 and later, as these versions introduced and encouraged the use of user disabling (without deletion) as a standard feature. The vulnerability can lead to unauthorized privilege escalation by reactivating disabled accounts and performing actions that should be restricted. The issue is resolved in XWiki versions 13.10.5 and 14.3-RC-1 through patches that enforce proper authorization checks on inactive users. No workaround exists other than upgrading to a fixed version. There are no known exploits in the wild at this time, but the vulnerability's presence in a core platform component and its long-standing existence make it a significant risk if left unpatched.

For European organizations using XWiki Platform, this vulnerability poses a risk of unauthorized account reactivation and privilege escalation. Attackers who gain access to disabled user credentials could bypass intended access restrictions, potentially leading to unauthorized data access, modification, or disruption of wiki content and related services. Since XWiki is often used for internal documentation, knowledge sharing, and collaboration, exploitation could compromise confidentiality and integrity of sensitive organizational information. The ability to perform actions via extensions further broadens the attack surface, possibly allowing attackers to manipulate integrated tools or workflows. This could impact operational continuity and trustworthiness of internal information systems. Organizations in sectors with strict data protection requirements (e.g., finance, healthcare, government) may face compliance risks if unauthorized access leads to data breaches. The lack of a workaround means that vulnerable deployments remain exposed until upgraded, increasing the window of risk. The absence of known exploits suggests limited active targeting so far, but the vulnerability's simplicity and long existence warrant prompt remediation to prevent future exploitation.

The primary and only effective mitigation is to upgrade XWiki Platform to version 13.10.5 or later, or 14.3-RC-1 or later, where the vulnerability is patched. Organizations should prioritize patching in their update cycles, especially if they use the user disabling feature or extensions that expose REST services. Additionally, organizations should audit their user management policies to identify disabled accounts and monitor for any unexpected reactivation attempts. Restricting access to the REST API endpoints through network segmentation or firewall rules can reduce exposure. Implementing strong authentication and monitoring for anomalous API usage can help detect exploitation attempts. Reviewing and hardening extension configurations to ensure they enforce proper authorization checks is also recommended. Finally, organizations should maintain an inventory of XWiki instances and versions to ensure all affected deployments are identified and updated promptly.