Impact
The vulnerability allows the action=info endpoint of MediaWiki to return revision entries that include deleted author names. Because the script does not filter out revisions where the author field has been removed, an unauthenticated user can obtain the identities associated with those deletions. This exposes user identity information that should have been protected, hence a breach of confidentiality. The flaw is categorized as CWE-200.
Affected Systems
MediaWiki installed by Wikimedia Foundation. Versions before 1.46.0, 1.45.4, 1.44.6, and 1.43.9 are affected. All instances of these releases that enable the action=info endpoint are vulnerable. The vulnerability is present in the core Action=Info functionality and is not dependent on extensions or custom configuration.
Risk and Exploitability
The CVSS score of 5.3 places this vulnerability in the medium severity range. No EPSS data is available and the issue is not listed in the CISA KEV catalogue, indicating no known large‑scale exploitation. The attack vector is unauthenticated and network‑based: any external web client can issue an HTTP request to the action=info page and receive the sensitive data. While authentication is not required, the endpoint is typically accessible by anyone who can reach the MediaWiki site, making exploitation straightforward for exposed public installations.
OpenCVE Enrichment