CVE-2025-46557 is a high-severity authorization vulnerability (CWE-862) affecting multiple versions of the XWiki platform, a widely used generic wiki software. The flaw exists in versions from 15.3-rc-1 up to but not including 15.10.14, from 16.0.0-rc-1 up to but not including 16.4.6, and from 16.5.0-rc-1 up to but not including 16.10.0-rc-1. The vulnerability allows any user who can access pages within the XWiki space—which by default is accessible to anyone—to reach the XWiki.Authentication.Administration page without proper authorization. This page controls the authentication mechanisms used by the platform. If no authenticator is explicitly set in the configuration file (xwiki.cfg), an attacker can switch the active authenticator to another installed authenticator. However, by default, only the Standard XWiki Authenticator is available, limiting the attacker's ability to exploit this fully unless additional authenticators are installed. In environments using Single Sign-On (SSO) authenticators such as OIDC or LDAP, the attacker’s main impact is the ability to revert the authentication method back to the standard authenticator. This can disrupt authentication flows, potentially locking out legitimate users who rely on SSO, as these users typically do not have stored passwords for the standard authenticator. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The issue has been addressed in versions 15.10.14, 16.4.6, and 16.10.0-rc-1. The CVSS 4.0 base score is 8.4, reflecting high severity, with network attack vector, low attack complexity, no privileges required, no user interaction, and significant impacts on integrity and availability but limited impact on confidentiality. No known exploits are currently reported in the wild.

For European organizations using vulnerable versions of XWiki, this vulnerability poses a significant risk to the integrity and availability of their authentication mechanisms. Attackers could potentially disrupt user authentication by switching authenticators, especially in environments relying on SSO solutions like OIDC or LDAP. This disruption could lead to denial of service for legitimate users, operational downtime, and increased support costs. In cases where multiple authenticators are installed, an attacker might attempt to switch to a less secure authenticator, potentially weakening the overall security posture. The impact is particularly critical for organizations that depend on XWiki for internal documentation, knowledge management, or collaboration, as unauthorized changes to authentication could facilitate further attacks or data manipulation. Confidentiality impact is limited since the vulnerability does not directly expose sensitive data, but the integrity and availability of authentication processes are at risk. Given the widespread use of XWiki in government, education, and enterprise sectors across Europe, the vulnerability could affect critical infrastructure and services if left unpatched.

1. Immediate upgrade of XWiki platform to patched versions: 15.10.14, 16.4.6, or 16.10.0-rc-1 or later. 2. Review and harden the xwiki.cfg configuration to explicitly set a secure authenticator, preventing fallback to the standard authenticator. 3. Limit access to the XWiki space pages by implementing strict access control lists (ACLs) or permissions to restrict who can view or modify authentication-related pages. 4. Monitor authentication configuration changes and audit logs for any unauthorized modifications to the authenticator settings. 5. For environments using SSO, ensure fallback mechanisms are secure and test authentication flows after patching to prevent service disruption. 6. Conduct internal penetration testing focusing on authorization controls around authentication administration pages. 7. Educate administrators about the risks of installing multiple authenticators without proper access controls. 8. If upgrading immediately is not feasible, consider deploying web application firewalls (WAFs) with custom rules to block unauthorized access to the XWiki.Authentication.Administration page.