CVE-2025-32969
org.xwiki.platform:xwiki-platform-rest-server allows SQL injection in query endpoint of REST API
In short
XWiki's REST API query endpoint allows unauthenticated attackers to inject malicious SQL commands into the database by bypassing the HQL query parser. This could expose sensitive data like passwords or allow attackers to modify or delete database records.
Technical detail
A remote unauthenticated attacker can escape HQL execution context via the REST API query endpoint to perform blind SQL injection (CWE-89) against the backend database. The vulnerability bypasses access controls even when anonymous viewing/editing is disabled, enabling extraction of confidential information or execution of arbitrary UPDATE/INSERT/DELETE queries depending on database permissions.
Summary generated and translated by AI from the official description.
XWiki is a generic wiki platform. In versions starting from 1.8 and prior to 15.10.16, 16.4.6, and 16.10.1, it is possible for a remote unauthenticated user to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend, including when "Prevent unregistered users from viewing pages, regardless of the page rights" and "Prevent unregistered users from editing pages, regardless of the page rights" options are enabled. Depending on the used database backend, the attacker may be able to not only obtain confidential information such as password hashes from the database, but also execute UPDATE/INSERT/DELETE queries. This issue has been patched in versions 16.10.1, 16.4.6 and 15.10.16. There is no known workaround, other than upgrading XWiki.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected products
xwiki · xwiki-platformWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →