CVE-2025-46554 is a medium-severity vulnerability affecting multiple versions of the XWiki platform, a widely used generic wiki software. The flaw is classified under CWE-862 (Missing Authorization), indicating that the system fails to properly enforce access controls. Specifically, in affected versions ranging from 1.8.1 up to but not including 14.10.22, from 15.0-rc-1 up to but not including 15.10.12, from 16.0.0-rc-1 up to but not including 16.4.3, and from 16.5.0-rc-1 up to but not including 16.7.0, any user—authenticated or not—can access metadata of any attachment stored in the wiki via the wiki attachment REST endpoint. This metadata exposure occurs without filtering based on user permissions, meaning even private wikis are vulnerable to unauthorized metadata disclosure. The vulnerability does not allow modification or deletion of data, nor does it require user interaction or authentication, making it remotely exploitable with low complexity. The CVSS v3.1 score is 5.3, reflecting a medium impact primarily on confidentiality, with no impact on integrity or availability. The issue has been addressed in versions 14.10.22, 15.10.12, 16.4.3, and 16.7.0, where proper authorization checks were implemented to restrict metadata access according to user rights. No known exploits are currently reported in the wild, but the low barrier to exploitation and the potential exposure of sensitive metadata make timely patching important.

For European organizations using affected versions of XWiki, this vulnerability poses a risk of unauthorized disclosure of attachment metadata, which may include file names, sizes, timestamps, and possibly other descriptive information. While the vulnerability does not expose the content of attachments directly, metadata can reveal sensitive operational details, project information, or user activity patterns, potentially aiding further reconnaissance or social engineering attacks. Organizations relying on XWiki for internal documentation, knowledge management, or collaboration—especially those handling sensitive or regulated data—may face confidentiality breaches. The exposure is particularly concerning for private wikis intended to restrict access, as the vulnerability bypasses these controls. Although the vulnerability does not impact data integrity or availability, the loss of confidentiality could lead to reputational damage, compliance violations (e.g., GDPR if metadata contains personal data), and increased risk of targeted attacks. Given XWiki's adoption in various sectors including government, education, and enterprises across Europe, the impact could be significant if unpatched.

1. Immediate upgrade to patched versions of XWiki: specifically 14.10.22, 15.10.12, 16.4.3, or 16.7.0 depending on the current deployment version. 2. If immediate upgrade is not feasible, implement network-level access controls to restrict access to the wiki attachment REST endpoint to trusted internal networks or authenticated users only, using firewalls or reverse proxies. 3. Audit current wiki configurations and user permissions to ensure no excessive metadata exposure beyond the vulnerability. 4. Monitor access logs for unusual or unauthorized requests to the attachment REST endpoint to detect potential exploitation attempts. 5. Educate administrators and users about the sensitivity of attachment metadata and encourage minimizing sensitive information in file names or descriptions. 6. Consider additional application-layer security controls such as Web Application Firewalls (WAFs) with custom rules to block unauthenticated access to attachment metadata endpoints. 7. Regularly review and update XWiki and all related components to incorporate security patches promptly.