The vulnerability CVE-2025-49594 affects the xwiki-contrib oidc module, which integrates OpenID Connect protocol support into XWiki. Specifically, in versions >= 2.17.1 and < 2.18.2, the module improperly authorizes token creation: any user with VIEW access to another user's profile can generate an authentication token for that user. Since XWiki instances often allow registered users to view other profiles, this effectively enables unauthorized users to impersonate others by authenticating with the generated tokens if token authentication is enabled. This is a classic CWE-285 (Improper Authorization) issue where access control checks are insufficient or missing. The vulnerability compromises confidentiality (unauthorized access to user accounts), integrity (potential unauthorized actions under another user's identity), and availability (possible disruption through misuse). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, no privileges required, and high impact on confidentiality, integrity, and availability. The vulnerability was reserved in June 2025 and published in October 2025. The fix is included in version 2.18.2 of the oidc module. Until patching, disabling token authentication is advised to mitigate risk. No public exploits have been reported, but the vulnerability's nature makes it a high-risk target for attackers seeking lateral movement or privilege escalation within XWiki environments.

For European organizations using XWiki with the oidc module in the vulnerable versions, this vulnerability poses a significant risk. Unauthorized users can impersonate any user with a viewable profile, potentially gaining access to sensitive internal documentation, confidential project information, or administrative functions depending on the impersonated user's privileges. This can lead to data breaches, unauthorized data manipulation, and disruption of business processes. Organizations in sectors with strict data protection regulations such as GDPR (e.g., finance, healthcare, government) face heightened compliance risks and potential legal penalties if exploited. The ability to authenticate as another user without credentials undermines trust in identity and access management, increasing the risk of insider threat exploitation and advanced persistent threats. Additionally, the vulnerability could facilitate lateral movement within networks, enabling attackers to escalate privileges and compromise broader IT infrastructure.

European organizations should immediately identify XWiki instances running the oidc module versions between 2.17.1 and 2.18.2. The primary mitigation is to upgrade the oidc module to version 2.18.2 or later, which contains the patch. Until patching is possible, disable token authentication in the XWiki configuration to prevent token-based login exploitation. Review and restrict VIEW access permissions on user profiles to the minimum necessary, limiting exposure. Implement monitoring and alerting for unusual authentication token creation or login patterns indicative of exploitation attempts. Conduct thorough audits of user accounts and access logs to detect potential unauthorized access. Incorporate this vulnerability into incident response plans and ensure security teams are aware of the risk. Finally, consider network segmentation and additional access controls around XWiki instances to reduce attack surface and limit potential lateral movement.