Skip to main content

Wikimedia OATHAuth EUVDEUVD-2026-29059

| CVE-2026-34087 MEDIUM
Information Exposure (CWE-200)
2026-05-11 wikimedia-foundation GHSA-6fcc-jw5f-pvm9
5.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:X/RE:M/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:X/RE:M/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
N

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 18:00 vuln.today
Patch available
May 11, 2026 - 17:01 EUVD
CVSS changed
May 11, 2026 - 16:22 NVD
5.1 (MEDIUM)
CVE Published
May 11, 2026 - 14:40 nvd
MEDIUM 5.1
CVE Published
May 11, 2026 - 14:40 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation OATHAuth.

This issue affects OATHAuth: from * before 1.43.7, 1.44.4, 1.45.2.

AnalysisAI

OATHAuth before versions 1.43.7, 1.44.4, or 1.45.2 exposes sensitive information to unauthorized actors through an information disclosure vulnerability accessible to authenticated users via network requests. The vulnerability requires user interaction and results in limited confidentiality impact, affecting deployments where OATHAuth handles two-factor authentication across Wikimedia platforms.

Technical ContextAI

OATHAuth is a Wikimedia Foundation MediaWiki extension that implements OATH (One-Time Password Authentication) for two-factor authentication mechanisms. The vulnerability (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor) indicates improper access controls or insufficient data masking in the extension's information handling. The network attack vector combined with low attack complexity and requirement for low-level privileges suggests the flaw exists in authenticated user-facing functionality, possibly in API endpoints, configuration display, or recovery/backup code handling that insufficiently validates what information is disclosed to which users.

RemediationAI

Wikimedia Foundation has released patched versions: upgrade to OATHAuth 1.43.7, 1.44.4, or 1.45.2 depending on the active branch in use. Administrators should verify their current version via the MediaWiki Special:Version page and apply the appropriate upgrade immediately. Pending patch application, restrict access to OATHAuth configuration and backup code recovery interfaces by limiting which user groups can access two-factor authentication settings; however, this is a partial mitigation only and does not address the underlying information disclosure in authenticated sessions. Monitor MediaWiki user logs for unusual access to user account and OATH configuration pages. See https://phabricator.wikimedia.org/T412061 for technical details and patch application guidance.

Share

EUVD-2026-29059 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy