CVE-2025-49584 is a high-severity vulnerability affecting multiple versions of the XWiki Platform, a widely used generic wiki software. The vulnerability arises from improper access control in the REST API endpoint that exposes the titles of wiki pages. Specifically, in affected versions (10.9 through 16.4.6, 16.5.0-rc-1 through 16.10.2, and 17.0.0-rc-1), an attacker can retrieve the title of any page if they know the page reference and if an XClass with a page property is accessible, which is the default configuration in XWiki installations. This access does not require authentication or user interaction, and the REST endpoint does not sufficiently verify access rights before disclosing page titles. The vulnerability is classified under CWE-201 (Insertion of Sensitive Information Into Sent Data), indicating that sensitive information is leaked unintentionally through normal data flows. The impact on confidentiality depends heavily on how page names and titles are managed. By default, page names correspond to titles, so the information leakage is minimal since the title is not more sensitive than the page name itself. However, if an organization uses obfuscated or non-intuitive page names to protect sensitive information, this vulnerability could allow attackers to infer or directly obtain sensitive titles, potentially revealing confidential project names, internal processes, or other sensitive metadata. The vulnerability does not affect fully private wikis because the REST API checks access rights on the XClass definition, but most default installations are vulnerable. The issue has been addressed in XWiki versions 16.4.7, 16.10.3, and 17.0.0 by adding proper access control checks before returning page titles. The CVSS 4.0 base score is 8.7 (high), reflecting the vulnerability's ease of exploitation (no authentication or user interaction required), network attack vector, and high confidentiality impact in certain deployment scenarios. There are no known exploits in the wild as of the published date, but the vulnerability's characteristics make it a significant risk for organizations using vulnerable XWiki versions. In summary, CVE-2025-49584 is a REST API information disclosure vulnerability in XWiki Platform that can leak page titles without authentication, potentially exposing sensitive information depending on wiki configuration and naming strategies. It requires prompt patching to mitigate the risk.

For European organizations using XWiki Platform, this vulnerability poses a confidentiality risk that varies based on internal wiki configuration and usage. Organizations that rely on XWiki for collaboration, documentation, or knowledge management may inadvertently expose sensitive project names, internal documentation titles, or other metadata that could aid attackers in reconnaissance or social engineering. This is particularly concerning for sectors handling sensitive data such as finance, healthcare, government, and critical infrastructure, where even metadata leakage can have regulatory and operational consequences. Since the vulnerability does not require authentication or user interaction, it can be exploited remotely by unauthenticated attackers, increasing the attack surface. Although the vulnerability does not directly impact integrity or availability, the exposure of sensitive information could facilitate further targeted attacks or data breaches. The impact is mitigated in fully private wikis but remains significant for default or partially restricted installations. Given the high CVSS score and the widespread use of XWiki in European enterprises and public institutions, the vulnerability could lead to reputational damage, compliance violations (e.g., GDPR if sensitive personal data is indirectly exposed), and increased risk of follow-on attacks. Organizations with complex or sensitive wiki content should prioritize assessment and remediation.

1. Immediate Upgrade: Organizations should upgrade affected XWiki Platform versions to the fixed releases 16.4.7, 16.10.3, or 17.0.0 or later. This is the most effective mitigation. 2. Access Control Review: Review and tighten access control policies on XClass definitions and page properties to ensure that sensitive metadata is not exposed to unauthorized users. 3. Wiki Configuration Audit: Audit wiki page naming conventions and metadata exposure. Avoid using sensitive or confidential information in page titles or names. 4. REST API Monitoring: Implement monitoring and logging of REST API access to detect unusual or unauthorized requests that attempt to enumerate page titles. 5. Network Segmentation: Restrict access to the XWiki REST API endpoints to trusted networks or VPNs where possible to reduce exposure to external attackers. 6. Incident Response Preparedness: Prepare to respond to potential information disclosure incidents by having processes to assess the scope of leaked information and notify affected parties if necessary. 7. User Awareness: Educate wiki administrators and users about the risks of exposing sensitive information in page titles and encourage best practices for information classification. These mitigations go beyond generic patching advice by emphasizing configuration audits, monitoring, and operational controls tailored to the nature of the vulnerability.