Skip to main content

Wikimedia OAuth CVE-2026-13707

| EUVDEUVD-2026-41033 NONE
Session Fixation (CWE-384)
2026-07-01 wikimedia-foundation GHSA-qjj7-573r-4398

Severity by source

Vendor (wikimedia-foundation) PRIMARY
0.0 NONE
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
vuln.today AI
8.7 HIGH

Session fixation enabling full session hijack warrants S:C with C:H and I:H; PR:L and UI:R reflect OAuth consumer access and victim interaction requirements.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wikimedia-foundation).

CVSS VectorVendor: wikimedia-foundation

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 16:06 vuln.today

DescriptionCVE.org

Session fixation vulnerability in Wikimedia Foundation OAuth.

This vulnerability is associated with program files src/Backend/MWOAuthServer.Php.

This issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9.

AnalysisAI

Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register low-privilege OAuth consumer
Delivery
Craft authorization URL with attacker-controlled session token
Exploit
Deliver URL to target user (UI:P)
Execution
User completes authentication against seeded session
Persist
Attacker reuses fixed session token as authenticated session
Impact
Access victim account resources

Vulnerability AssessmentAI

Exploitation The attacker must possess low-level access sufficient to register or interact with an OAuth consumer on the target MediaWiki installation (PR:L per the CVSS 4.0 vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N) records zero confidentiality, integrity, and availability impact across both vulnerable and subsequent systems, which is atypical for a session fixation flaw that classically enables full session hijacking. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a low-privilege OAuth consumer on the target MediaWiki instance and crafts an authorization URL that supplies a fixed or attacker-known session token in the OAuth handshake processed by MWOAuthServer.php. The attacker delivers this URL to a target user who follows it and completes authentication; the pre-seeded session token is then promoted to an authenticated session. …
Remediation Upgrade the Wikimedia Foundation OAuth extension to a version beyond the affected maxima on each maintained branch - that is, beyond 1.46.0, 1.45.4, 1.44.6, or 1.43.9 on the respective 1.46.x, 1.45.x, 1.44.x, and 1.43.x lines. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-12965 CRITICAL POC
9.8 Aug 23

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2022-40916 CRITICAL POC
9.8 Feb 06

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2023-48929 CRITICAL POC
9.8 Dec 08

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti

CVE-2023-41012 CRITICAL POC
9.8 Sep 05

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe

CVE-2023-31498 CRITICAL POC
9.8 May 11

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex

CVE-2022-3269 CRITICAL POC
9.8 Sep 23

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2021-39290 CRITICAL POC
9.8 Aug 23

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera

CVE-2020-11729 CRITICAL POC
9.8 Apr 15

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v

CVE-2019-18418 CRITICAL POC
9.8 Oct 24

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

Share

CVE-2026-13707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy