Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.This issue affects non release branches.
AnalysisAI
Information disclosure in MediaWiki CentralAuth extension exposes sensitive authentication data to unauthorized parties through improper removal before storage or transfer. This affects non-release development branches with network-accessible attack vector requiring no authentication (CVSS:4.0 AV:N/PR:N). While no public exploit or active exploitation (not in CISA KEV) is identified at time of analysis, the CVSS 8.8 rating reflects high confidentiality impact and low complexity, making this a significant risk for organizations running development builds.
Technical ContextAI
CentralAuth is a MediaWiki extension enabling unified authentication across multiple Wikimedia wikis, managing user credentials and session tokens centrally. CWE-212 (Improper Removal of Sensitive Information Before Storage or Transfer) indicates the vulnerability stems from failure to sanitize authentication-related data before persisting to logs, databases, or transmitting over networks. The CPE designation targets the CentralAuth extension specifically (cpe:2.3:a:the_wikimedia_foundation:mediawiki_-_centralauth_extension), not core MediaWiki. The affected non-release branches suggest this issue exists in development code paths, potentially involving debugging features, verbose logging, or incomplete data sanitization routines that leak tokens, passwords, or session identifiers. The CVSS 4.0 vector showing high confidentiality impact (VC:H) with low integrity/availability impact (VI:L/VA:L) confirms the primary concern is unauthorized data exposure rather than system compromise.
RemediationAI
Apply the upstream fix committed to the MediaWiki Gerrit repository under change ID I0b72427fa329aee85841a2cb23dec3058edce85e (https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e). Organizations running development branches should merge this commit or migrate to stable release versions of CentralAuth where the fix will be incorporated. For production wikis using official MediaWiki releases, verify that you are running stable tagged versions and not development code. As an interim workaround, restrict network access to development/staging MediaWiki instances, implement additional log sanitization at infrastructure level, and audit recent logs for potential sensitive data exposure. Review the technical discussion in Phabricator task T418122 (https://phabricator.wikimedia.org/T418122) for specific implementation details and affected code paths.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19984