The vulnerability arises from an improper removal of sensitive information before storage or transfer within the MediaWiki CentralAuth Extension, resulting in a resource leak exposure. Specifically, user email addresses are not fully purged during a global vanish operation, leaving them potentially recoverable from memory or logs. This flaw falls under CWE-212 and can lead to privacy compromise through unintended disclosure of email addresses.

The flaw affects the Wikimedia Foundation’s MediaWiki CentralAuth Extension. The issue has been addressed in the master branch and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. Users running those or earlier affected releases should ensure that the CentralAuth extension is updated to the patched state before the vulnerability can be triggered.

A CVSS score of 8.8 classifies the vulnerability as high severity, whereas the EPSS score of less than 1 % indicates a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, involves a user initiating a global vanish action that does not completely erase the email address from system memory or logs; the residual data may then become accessible to other users or logged systems. Exploitation would require that the CentralAuth extension process user email during a vanish operation, as described above.