Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth.

This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2.
Published: 2026-05-11
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthorized actor to determine whether privileged users have their user groups disabled because they lack two‑factor authentication through the Wikimedia Foundation OATHAuth Users API. This disclosure of privileged account status is a confidentiality breach (CWE‑200) and can enable attackers to target privileged users or craft tailored social engineering attacks.

Affected Systems

Wikimedia Foundation OATHAuth deployments prior to version 1.43.7, 1.44.4, and 1.45.2 are affected. The issue exists in all earlier releases of the software.

Risk and Exploitability

The CVSS score of 5.1 denotes moderate risk, and the EPSS score is not available, leaving exploit probability uncertain. The vulnerability is not listed in the CISA KEV catalog, implying it may not be widely exploited currently. Nevertheless, because it reveals privileged user status, an attacker who can reach the API can focus subsequent attacks on identified accounts. The most likely attack vector is through the public or unauthenticated API endpoint that returns privileged user data.

Generated by OpenCVE AI on May 11, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wikimedia Foundation OATHAuth to a fixed version (1.43.7 or later, 1.44.4 or later, or 1.45.2 or later, depending on your deployment).
  • Restrict the Users API to authenticated administrators only to prevent unauthorized disclosure of privileged user status.
  • Enforce two‑factor authentication for all privileged users and verify that user groups are properly disabled when 2FA is not enabled.

Generated by OpenCVE AI on May 11, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6208-1 mediawiki security update
References
Link Providers
https://phabricator.wikimedia.org/T412061 cve-icon cve-icon
History

Mon, 11 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia oathauth
Vendors & Products Wikimedia
Wikimedia oathauth

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth. This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2.
Title Users API leaks whether privileged users have their user groups disabled for lack of 2FA
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/AU:Y/R:A/RE:M'}

Subscriptions

Wikimedia Oathauth
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-05-11T16:03:51.630Z

Reserved: 2026-03-25T17:15:46.521Z

Link: CVE-2026-34087

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:30.023

Modified: 2026-05-11T16:17:30.023

Link: CVE-2026-34087

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:30:15Z

Weaknesses