Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.

This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Published: 2026-05-11
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to view suppressed or private content via the RecentChanges log page. It can disclose sensitive information that should remain hidden. The weakness corresponds to CWE‑200 (Information Exposure) and no other specific CWE identifiers have been identified beyond the generic NVD‑CWE‑noinfo placeholder.

Affected Systems

The issue is present in MediaWiki released by the Wikimedia Foundation, affecting all versions before 1.43.7, 1.44.4, and 1.45.2.

Risk and Exploitability

The CVSS score is 1.3, reflecting a low severity. The EPSS score is 0.00042 (0.042%), indicating a very low exploitation probability. The vulnerability is not listed in CISA's KEV catalog. The likely attack vector is any user with web access to a MediaWiki instance, who can navigate to the RecentChanges page. Although the risk is low, organizations using vulnerable versions should evaluate the potential exposure of sensitive content.

Generated by OpenCVE AI on May 14, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MediaWiki to a version that includes the fix (≥1.43.7, 1.44.4, 1.45.2 or newer).
  • If an upgrade is not immediately possible, restrict access to the RecentChanges page by configuring permissions so that only authorized users can view it, or disable logging of suppressed content altogether.
  • Review and approve any configuration changes that prevent the log page from exposing private content, and re‑test the log page to confirm that suppressed content is no longer visible.

Generated by OpenCVE AI on May 14, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6208-1 mediawiki security update
Ubuntu USN Ubuntu USN USN-8315-1 MediaWiki vulnerabilities
References
Link Providers
https://phabricator.wikimedia.org/T410429 cve-icon cve-icon
History

Thu, 14 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Mediawiki
Mediawiki mediawiki
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:mediawiki:mediawiki:*:*:*:*:*:*:*:*
Vendors & Products Mediawiki
Mediawiki mediawiki
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 11 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki
Vendors & Products Wikimedia
Wikimedia mediawiki

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Title RecentChanges entries expose suppressed content via generated log page html
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/R:U/RE:M'}

Subscriptions

Mediawiki Mediawiki
Wikimedia Mediawiki
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-05-11T16:03:31.132Z

Reserved: 2026-03-25T17:15:46.521Z

Link: CVE-2026-34088

cve-icon Vulnrichment

Updated: 2026-05-11T16:03:27.463Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-11T16:17:30.157

Modified: 2026-05-14T16:43:47.327

Link: CVE-2026-34088

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T18:00:14Z

Weaknesses