wire-server provides back end services for Wire, a team communication and collaboration platform. Prior to version 2022-12-09, every member of a Conversation can remove a Bot from a Conversation due to a missing permissions check. Only Conversation admins should be able to remove Bots. Regular Conversations are not allowed to do so. The issue is fixed in wire-server 2022-12-09 and is already deployed on all Wire managed services. On-premise instances of wire-server need to be updated to 2022-12-09/Chart 4.29.0, so that their backends are no longer affected. There are no known workarounds.
Conclusion & alert: CVE-2023-22737 is rated Moderate Risk (43.7/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.73%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.30% | 0.73% | +0.43% |
| 2 | 2026-01-29 | 0.06% | 0.30% | +0.24% |
| 3 | 2025-11-21 | — | 0.06% | — |
Full EPSS history (11 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
| URL | Tags |
|---|---|
| https://github.com/wireapp/wire-server/commit/494a6881f5895d4ed9e5d011455242be0d5e6223 | Patch Third Party Advisory |
| https://github.com/wireapp/wire-server/pull/2870 | Patch Third Party Advisory |
| https://github.com/wireapp/wire-server/releases/tag/v2022-12-09 | Release Notes Third Party Advisory |
| https://github.com/wireapp/wire-server/security/advisories/GHSA-xmjc-c6w3-pcp4 | Third Party Advisory |