Description
Vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files includes/Page/Article.Php.



This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Published: 2026-05-11
Score: 2 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the link generated for the page protection indicator in MediaWiki omits the required "/wiki/" prefix, causing the link to become relative to the current subpage. This fault leads to broken or misleading help links for users viewing protected pages. While the flaw does not directly expose confidential data or allow arbitrary code execution, it could confuse users or inadvertently direct them to unintended content. The weakness can be mapped to CWE‑668: Improper Access Control.

Affected Systems

Affected systems are all MediaWiki installations prior to the release of versions 1.43.7, 1.44.4, and 1.45.2. The vulnerability is documented as stemming from includes/Page/Article.php. Any instance of MediaWiki before those dates that has not yet applied official patches remains susceptible.

Risk and Exploitability

The CVSS score is 2, indicating a low severity assessment. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, suggesting that exploitation is unlikely. The likely attack vector involves a user creating or linking to a subpage that would trigger the faulty link generation; the impact is primarily user experience degradation rather than a critical security compromise. Nevertheless, administrators are advised to address the flaw to maintain correct site functionality.

Generated by OpenCVE AI on May 11, 2026 at 23:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MediaWiki to at least 1.45.3, which includes the fix for the missing "/wiki/" prefix in the page protection link.
  • If an immediate upgrade is not possible, implement a web filtration rule that blocks or redirects requests to malformed help URLs, ensuring users cannot access unintended content.
  • Monitor access logs for attempts to reach malformed help URLs and enforce corrective redirects or provide a user-friendly error page.

Generated by OpenCVE AI on May 11, 2026 at 23:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6208-1 mediawiki security update
References
Link Providers
https://phabricator.wikimedia.org/T416090 cve-icon cve-icon
History

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-668
CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia mediawiki
Vendors & Products Wikimedia
Wikimedia mediawiki

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.
Title Customized help link for page protection indicator is relative to subpage name, because the link target is missing the "/wiki/" prefix
References
Metrics cvssV4_0

{'score': 2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wikimedia Mediawiki
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-05-11T18:06:58.192Z

Reserved: 2026-03-25T17:15:46.522Z

Link: CVE-2026-34094

cve-icon Vulnrichment

Updated: 2026-05-11T18:06:47.326Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-11T18:16:32.100

Modified: 2026-05-12T14:45:49.820

Link: CVE-2026-34094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:15:09Z

Weaknesses