Impact
The vulnerability originates in MediaWiki’s parser dealing with the $wgNonincludableNamespaces setting. By embedding a redirect within a namespace usually excluded from parsing, an attacker can force the parser to read content from a protected namespace that should not be publicly accessible. The flaw allows an unauthorized actor to view confidential information that is otherwise restricted, and it is classified as CWE‑200.
Affected Systems
The affected vendor is Wikimedia Foundation, product MediaWiki. All releases before 1.46.0, as well as the specific versions 1.45.4, 1.44.6, and 1.43.9, are impacted.
Risk and Exploitability
No CVSS or EPSS score is provided, but the impact is a direct disclosure of sensitive data. An attacker only needs to send a crafted HTTP request containing a redirect within a non‑includable namespace; no elevated privileges are required. The lack of a KEV listing suggests no known widespread exploitation yet, but the confidentiality compromise warrants medium to high risk and prompt remediation.
OpenCVE Enrichment