Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation CheckUser.
This issue affects CheckUser: from 1.45.0 before 1.45.2.
AnalysisAI
Wikimedia Foundation CheckUser versions 1.45.0 through 1.45.1 expose sensitive information to unauthorized actors through a flaw in access control, allowing high-privileged users with user interaction to view data they should not access. The vulnerability affects the CheckUser extension used across Wikimedia projects and is confirmed patched in version 1.45.2. EPSS and active exploitation status are not publicly documented, but the low CVSS score (4.8) and requirement for elevated privileges limit real-world impact.
Technical ContextAI
CheckUser is a Wikimedia Foundation extension that provides administrative tools for investigating user behavior and detecting abuse across wiki projects. The vulnerability stems from improper authorization controls (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), allowing high-privileged users to access CheckUser features and view sensitive investigation data without appropriate scope restrictions. The affected versions 1.45.0 and 1.45.1 fail to properly validate user privileges before exposing sensitive data through the CheckUser interface, likely in logging, IP tracking, or user relationship analysis features that should be restricted to specific administrative roles.
RemediationAI
Upgrade CheckUser to version 1.45.2 or later immediately. The vendor-released patch is available and confirmed to address the authorization control flaw. Administrators should verify the extension version on all deployed Wikimedia installations via Special:Version and apply updates without delay. No workarounds are documented, as the vulnerability requires a code-level authorization fix rather than configuration adjustment. During patching, CheckUser functionality will temporarily be unavailable if the extension is disabled; coordinate with project communities to minimize disruption. The patch should be tested in staging environments first to ensure compatibility with local MediaWiki installations and any custom extensions that depend on CheckUser. For detailed patch information, consult the Phabricator task T411366 referenced in the advisory.
Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hija
An issue was discovered in the CheckUser extension through 1.34 for MediaWiki. Rated medium severity (CVSS 6.5), this vu
Cross-site scripting in the Wikimedia Foundation CheckUser extension (versions 1.46.0-rc.0 up to but not including 1.46.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia F
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia F
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29062
GHSA-cg3w-6fh3-65mw