Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files includes/Skin/Skin.Php.



This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Published: 2026-05-11
Score: 2.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability involves the display of autoblocked IP addresses within the tools sidebar of MediaWiki, which leaks sensitive information to users who can view the page. The flaw originates in files under includes/Skin/Skin.php. Attackers or unauthenticated users can gain knowledge of IP addresses that the system automatically blocks, potentially exposing patterns of block activity or personal identifiers.

Affected Systems

MediaWiki versions prior to 1.43.7, 1.44.4, or 1.45.2 are affected. Administrators running any of these releases should consider applying the fix in later patches.

Risk and Exploitability

The CVSS score of 2.1 indicates a low impact. Because the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog, the practical likelihood of exploitation is uncertain but the information leakage could still be valuable to a determined attacker. The flaw appears to be exploitable by any user who can access the tools sidebar, either locally or remotely through normal browsing, suggesting that privileged access is not required. Mitigation mainly involves applying the vendor's patch or upgrading to a non-affected release.

Generated by OpenCVE AI on May 11, 2026 at 16:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to MediaWiki 1.43.7 or newer (or 1.44.4 / 1.45.2 if those are the latest secure releases) to apply the fix in includes/Skin/Skin.php.
  • If an upgrade is not immediately possible, restrict access to the tools sidebar or configure the site to hide the autoblocked IP display, for example by disabling the feature in localsettings.php or applying CSS to conceal the relevant elements.
  • Verify that no custom skins or extensions expose similar information in their sidebar, and review logs for any suspicious requests that might reveal block activity.

Generated by OpenCVE AI on May 11, 2026 at 16:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6208-1 mediawiki security update
References
Link Providers
https://phabricator.wikimedia.org/T384147 cve-icon cve-icon
History

Mon, 11 May 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki
Vendors & Products Wikimedia
Wikimedia mediawiki

Mon, 11 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Skin/Skin.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Title Block UI elements in 'tools'-sidebar shows presence of an autoblocked IP
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 2.1, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wikimedia Mediawiki
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-05-11T15:50:58.247Z

Reserved: 2026-03-25T17:15:46.522Z

Link: CVE-2026-34092

cve-icon Vulnrichment

Updated: 2026-05-11T15:50:53.914Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T16:17:30.663

Modified: 2026-05-12T14:45:49.820

Link: CVE-2026-34092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T17:00:15Z

Weaknesses