Unauthorized account creation via registration function
Summary
An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed by the Supplier because this is the intentional behavior when the product is configured for self-registration (a non-default feature). A flaw was found in DokuWiki. This occurs when the DokuWiki instance is configured to allow self-registration, which is not the default setting. This could lead to the creation of unauthorized user accounts. An attacker could create unauthorized user accounts if this non-default feature is enabled. Red Hat severity: Low — CVSS 3.7 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N). Weakness: CWE-306.
Mitigation checklist
- To mitigate this issue, ensure that the self-registration feature in DokuWiki is disabled if not explicitly required. This can typically be controlled within the DokuWiki configuration settings. Consult the DokuWiki documentation for specific instructions on managing user registration settings. If the DokuWiki service is reloaded or restarted after configuration changes, verify the setting has taken effect.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.