Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter.

This vulnerability is associated with program files includes/Api/QueryAbuseFilters.Php.



This issue affects AbuseFilter: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Published: 2026-07-01
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthorized actor to obtain the hit count of private filters through the AbuseFilter QueryAbuseFilters API, exposing sensitive usage information that is otherwise hidden in the user interface. This information leakage corresponds to CWE‑200, meaning confidential data is revealed without proper access controls, potentially aiding threat actors in understanding filter effectiveness or usage patterns.

Affected Systems

Systems running the Wikimedia Foundation AbuseFilter before version 1.46.0, or on the specific earlier releases 1.45.4, 1.44.6, and 1.43.9 are affected. These versions expose private filter statistics via the API endpoint.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity; exploitation does not appear to require special credentials, as the API endpoint is accessible to unauthenticated users. EPSS data is unavailable, and the vulnerability is not listed in the CISA KEV catalog, suggesting the attack surface is limited but still present. The likely attack vector is an HTTP request to the QueryAbuseFilters API, which would return private filter hit counts to any caller.

Generated by OpenCVE AI on July 2, 2026 at 00:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AbuseFilter to version 1.46.0 or newer, which removes the ability to query private filter hit counts via the API.
  • Restrict the QueryAbuseFilters API to authenticated and authorized users only, ensuring that unprivileged actors cannot access private filter data.
  • Monitor API usage logs for anomalous requests targeting private filter data, and investigate any unauthorized attempts.

Generated by OpenCVE AI on July 2, 2026 at 00:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Thu, 02 Jul 2026 01:00:00 +0000

Type Values Removed Values Added
First Time appeared Wikimedia
Wikimedia abusefilter
Vendors & Products Wikimedia
Wikimedia abusefilter

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Description Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/Api/QueryAbuseFilters.Php. This issue affects AbuseFilter: from * before 1.46.0, 1.45.4, 1.44.6, 1.43.9.
Title QueryAbuseFilter API can be used to see the hit count of private filters, which is hidden in the UI
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Wikimedia Abusefilter
cve-icon MITRE

Status: PUBLISHED

Assigner: wikimedia-foundation

Published:

Updated: 2026-07-01T15:49:32.627Z

Reserved: 2026-06-27T13:32:37.577Z

Link: CVE-2026-58027

cve-icon Vulnrichment

Updated: 2026-07-01T15:49:28.228Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T01:00:12Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor