Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Echo.

This vulnerability is associated with program files includes/Api/ApiEchoNotifications.Php.



This issue affects Echo: from * before 1.43.7, 1.44.4, 1.45.2.
Published: 2026-05-11
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows unauthorized actors to view sensitive information because the ApiEchoNotifications.php endpoint fails to restrict data exposure. The weakness is a plain data exposure issue (CWE‑200) and primarily compromises confidentiality without affecting integrity or availability.

Affected Systems

The flaw is present in all Wikimedia Foundation Echo releases prior to 1.43.7, 1.44.4, or 1.45.2. Any deployment using those older releases is susceptible.

Risk and Exploitability

The CVSS score of 2.3 indicates a low risk rating, and the vulnerability is not listed in the CISA KEV catalog. Exploitation does not require any user credentials; an attacker only needs network access to send a request to the vulnerable ApiEchoNotifications.php endpoint and can retrieve sensitive data that should be restricted. Because EPSS is not available, the precise probability of exploitation is unknown, but the low CVSS score suggests it is not a high‑threat vulnerability.

Generated by OpenCVE AI on May 11, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Echo to the latest available release (at least 1.43.7, 1.44.4, or 1.45.2, depending on the current deployment).
  • If an immediate upgrade is not possible, restrict access to the /ApiEchoNotifications.php endpoint at the network or application layer and ensure authentication is required to use it.
  • Deploy monitoring of API logs for anomalous requests to the Echo notification endpoint and for any sensitive data exposure patterns, so potential exploitation attempts can be identified early.

Generated by OpenCVE AI on May 11, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6208-1 mediawiki security update
References
Link Providers
https://phabricator.wikimedia.org/T420154 cve-icon cve-icon
History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia echo
Vendors & Products Wikimedia
Wikimedia echo

Mon, 11 May 2026 19:30:00 +0000

Type Values Removed Values Added
Title Echo API Exposure of Sensitive Information to Unauthorized Actors

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Echo. This vulnerability is associated with program files includes/Api/ApiEchoNotifications.Php. This issue affects Echo: from * before 1.43.7, 1.44.4, 1.45.2.
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wikimedia Echo
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-05-11T18:00:17.517Z

Reserved: 2026-03-31T18:45:42.439Z

Link: CVE-2026-5266

cve-icon Vulnrichment

Updated: 2026-05-11T18:00:14.374Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:42.033

Modified: 2026-05-12T14:45:49.820

Link: CVE-2026-5266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:49Z

Weaknesses