Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Session fixation enabling full session hijack warrants S:C with C:H and I:H; PR:L and UI:R reflect OAuth consumer access and victim interaction requirements.
Primary rating from Vendor (wikimedia-foundation).
CVSS VectorVendor: wikimedia-foundation
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Lifecycle Timeline
1DescriptionCVE.org
Session fixation vulnerability in Wikimedia Foundation OAuth.
This vulnerability is associated with program files src/Backend/MWOAuthServer.Php.
This issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9.
AnalysisAI
Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess low-level access sufficient to register or interact with an OAuth consumer on the target MediaWiki installation (PR:L per the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N) records zero confidentiality, integrity, and availability impact across both vulnerable and subsequent systems, which is atypical for a session fixation flaw that classically enables full session hijacking. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a low-privilege OAuth consumer on the target MediaWiki instance and crafts an authorization URL that supplies a fixed or attacker-known session token in the OAuth handshake processed by MWOAuthServer.php. The attacker delivers this URL to a target user who follows it and completes authentication; the pre-seeded session token is then promoted to an authenticated session. … |
| Remediation | Upgrade the Wikimedia Foundation OAuth extension to a version beyond the affected maxima on each maintained branch - that is, beyond 1.46.0, 1.45.4, 1.44.6, or 1.43.9 on the respective 1.46.x, 1.45.x, 1.44.x, and 1.43.x lines. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-384 – Session Fixation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41033
GHSA-qjj7-573r-4398