Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files includes/Parser/Parser.Php.



This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Published: 2026-07-01
Score: 0 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates in MediaWiki’s parser dealing with the $wgNonincludableNamespaces setting. By embedding a redirect within a namespace usually excluded from parsing, an attacker can force the parser to read content from a protected namespace that should not be publicly accessible. The flaw allows an unauthorized actor to view confidential information that is otherwise restricted, and it is classified as CWE‑200.

Affected Systems

The affected vendor is Wikimedia Foundation, product MediaWiki. All releases before 1.46.0, as well as the specific versions 1.45.4, 1.44.6, and 1.43.9, are impacted.

Risk and Exploitability

No CVSS or EPSS score is provided, but the impact is a direct disclosure of sensitive data. An attacker only needs to send a crafted HTTP request containing a redirect within a non‑includable namespace; no elevated privileges are required. The lack of a KEV listing suggests no known widespread exploitation yet, but the confidentiality compromise warrants medium to high risk and prompt remediation.

Generated by OpenCVE AI on July 2, 2026 at 05:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MediaWiki to version 1.46.0 or newer, which contains the fix for the redirect bypass.
  • Reevaluate the $wgNonincludableNamespaces setting and disable or restrict redirects from protected namespaces to prevent future bypass attempts.
  • Scan server logs for unusual redirect patterns and employ content moderation tools to detect and respond to potential unauthorized redirect usage.

Generated by OpenCVE AI on July 2, 2026 at 05:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Parser/Parser.Php. This issue affects MediaWiki: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Title $wgNonincludableNamespaces can be bypassed by embedding redirect in other namespaces
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 0, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-01T15:50:17.256Z

Reserved: 2026-06-27T13:32:37.577Z

Link: CVE-2026-58026

cve-icon Vulnrichment

Updated: 2026-07-01T15:50:11.643Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T05:15:07Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor