Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.

This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Published: 2026-05-11
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from MediaWiki’s AbuseFilter and EventStream components that unintentionally expose user locale data to anyone able to read the event streams. The leakage allows an unauthorised actor to determine the geographical or language preferences of a user, revealing sensitive private information. This can be leveraged to deanonymise users or gain insight into user behaviour, violating the confidentiality of user data. The flaw is a typical information‑disclosure weakness (CWE‑200).

Affected Systems

The issue affects all releases of MediaWiki before 1.43.7, 1.44.4, and 1.45.2, including any older versions still in use. The vulnerable component is part of the core Wikimedia Foundation MediaWiki distribution.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. EPSS is not available, so the likelihood of exploitation is unclear. The vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. However, the bug can be triggered by any user with access to the event stream or AbuseFilter logs, meaning the attack vector is likely local or network-based wherever event streams are exposed. Given that the flaw does not require privileged access, moderate risk remains until a fix is applied.

Generated by OpenCVE AI on May 11, 2026 at 16:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to MediaWiki 1.43.7 or newer, including 1.44.4 and 1.45.2 releases and beyond.
  • Disable or restrict access to the AbuseFilter and EventStream APIs that expose locale data.
  • Verify that user privacy settings and data‑handling policies remain consistent with the updated configuration.

Generated by OpenCVE AI on May 11, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6208-1 mediawiki security update
References
Link Providers
https://phabricator.wikimedia.org/T411305 cve-icon cve-icon
History

Mon, 11 May 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki
Vendors & Products Wikimedia
Wikimedia mediawiki

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Title User localization leaked by AbuseFilter + EventStream
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/R:U'}

Subscriptions

Wikimedia Mediawiki
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-05-11T16:03:07.320Z

Reserved: 2026-03-25T17:15:46.522Z

Link: CVE-2026-34091

cve-icon Vulnrichment

Updated: 2026-05-11T16:03:03.905Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T16:17:30.537

Modified: 2026-05-12T14:45:49.820

Link: CVE-2026-34091

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T20:15:08Z

Weaknesses