XWiki Platform's Livetable results still allow reconstructing password hashes using 768 requests

GHSA-rh28-mqj4-8x59 · CVE-2026-48048

Published May 26, 2026 · Modified May 26, 2026

Description

Impact

XWiki discovered that the patch for GHSA-5cf8-vrr8-8hjm was insufficient and with slightly modified parameters to the LiveTableResults, it is still possible to discover password hashes one bit at a time, so with 768 requests, the full password salt and hash can be retrieved of a user.

Patches

The check for password (and email properties) has been adjusted in XWiki 18.0.0RC1, 17.10.13, 17.4.9 and 16.10.17.

Workarounds

The patch can be applied manually to the wiki page XWiki.LiveTableResultsMacros.

Resources

https://jira.xwiki.org/browse/XWIKI-23875
https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa

References

WEB https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rh28-mqj4-8x59
WEB https://github.com/xwiki/xwiki-platform/commit/c4442716b02ffcdaa9d5e703b1db6203e36456fa
PACKAGE https://github.com/xwiki/xwiki-platform
WEB https://jira.xwiki.org/browse/XWIKI-23875

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes