Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation CheckUser.

This issue affects CheckUser: from 1.45.0 before 1.45.2.
Published: 2026-05-11
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Wikimedia Foundation’s CheckUser module contains a flaw that allows the disclosure of sensitive user data – notably suppressed usernames – to actors who are not authorized to view such information. The vulnerability stems from improper handling of suppressed data within the module’s logic, causing unintended exposure of user identities. The impact is a loss of confidentiality, potentially enabling attackers or malicious actors to identify users who have chosen to suppress their username, thereby undermining privacy protections.

Affected Systems

The affected product is Wikimedia Foundation CheckUser, versions starting with 1.45.0 up to and including 1.45.1. Any installation running these versions without the subsequent fix is susceptible to the disclosure. All users and administrators with CheckUser privileges on impacted installations may be at risk.

Risk and Exploitability

The CVSS score of 4.8 categorizes the vulnerability as moderate; the EPSS score is not available, and the issue is not listed in the CISA KEV catalog. While the description does not specify the attack vector, it is inferred that an adversary with CheckUser privileges or access to the server could trigger the data leak, potentially requiring local access or exploitation of the CheckUser interface. The lack of an EPSS or KEV listing suggests a lower likelihood of widespread exploitation, yet the confidentiality breach remains significant for sensitive environments.

Generated by OpenCVE AI on May 11, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to CheckUser version 1.45.2 or later to eliminate the disclosure flaw.
  • Restrict CheckUser permissions to trusted accounts only, ensuring that only authorized personnel can invoke the module.
  • If the module is not required for your deployment, disable or remove the CheckUser extension to remove the attack surface.
  • Monitor system logs for unusual CheckUser activity and verify that no suppressed usernames are being disclosed.

Generated by OpenCVE AI on May 11, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://phabricator.wikimedia.org/T411366 cve-icon cve-icon
History

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia checkuser
Vendors & Products Wikimedia
Wikimedia checkuser

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation CheckUser. This issue affects CheckUser: from 1.45.0 before 1.45.2.
Title Suggested investigations: Handle suppressed usernames
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/R:U'}

Subscriptions

Wikimedia Checkuser
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-05-11T15:51:32.487Z

Reserved: 2026-03-25T17:15:46.521Z

Link: CVE-2026-34090

cve-icon Vulnrichment

Updated: 2026-05-11T15:51:27.108Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T16:17:30.407

Modified: 2026-05-12T14:45:49.820

Link: CVE-2026-34090

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:15:39Z

Weaknesses