Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:X/RE:M/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:X/RE:M/U:X
Lifecycle Timeline
5DescriptionCVE.org
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth.
This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2.
AnalysisAI
OATHAuth before versions 1.43.7, 1.44.4, or 1.45.2 exposes sensitive information to unauthorized actors through an information disclosure vulnerability accessible to authenticated users via network requests. The vulnerability requires user interaction and results in limited confidentiality impact, affecting deployments where OATHAuth handles two-factor authentication across Wikimedia platforms.
Technical ContextAI
OATHAuth is a Wikimedia Foundation MediaWiki extension that implements OATH (One-Time Password Authentication) for two-factor authentication mechanisms. The vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) indicates improper access controls or insufficient data masking in the extension's information handling. The network attack vector combined with low attack complexity and requirement for low-level privileges suggests the flaw exists in authenticated user-facing functionality, possibly in API endpoints, configuration display, or recovery/backup code handling that insufficiently validates what information is disclosed to which users.
RemediationAI
Wikimedia Foundation has released patched versions: upgrade to OATHAuth 1.43.7, 1.44.4, or 1.45.2 depending on the active branch in use. Administrators should verify their current version via the MediaWiki Special:Version page and apply the appropriate upgrade immediately. Pending patch application, restrict access to OATHAuth configuration and backup code recovery interfaces by limiting which user groups can access two-factor authentication settings; however, this is a partial mitigation only and does not address the underlying information disclosure in authenticated sessions. Monitor MediaWiki user logs for unusual access to user account and OATH configuration pages. See https://phabricator.wikimedia.org/T412061 for technical details and patch application guidance.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29059
GHSA-6fcc-jw5f-pvm9