Skip to main content

Wikimedia CheckUser EUVDEUVD-2026-29062

| CVE-2026-34090 MEDIUM
Information Exposure (CWE-200)
2026-05-11 wikimedia-foundation GHSA-cg3w-6fh3-65mw
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Generated
May 11, 2026 - 18:01 vuln.today
Patch available
May 11, 2026 - 17:01 EUVD
CVSS changed
May 11, 2026 - 16:22 NVD
4.8 (MEDIUM)
CVE Published
May 11, 2026 - 14:50 nvd
MEDIUM 4.8
CVE Published
May 11, 2026 - 14:50 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation CheckUser.

This issue affects CheckUser: from 1.45.0 before 1.45.2.

AnalysisAI

Wikimedia Foundation CheckUser versions 1.45.0 through 1.45.1 expose sensitive information to unauthorized actors through a flaw in access control, allowing high-privileged users with user interaction to view data they should not access. The vulnerability affects the CheckUser extension used across Wikimedia projects and is confirmed patched in version 1.45.2. EPSS and active exploitation status are not publicly documented, but the low CVSS score (4.8) and requirement for elevated privileges limit real-world impact.

Technical ContextAI

CheckUser is a Wikimedia Foundation extension that provides administrative tools for investigating user behavior and detecting abuse across wiki projects. The vulnerability stems from improper authorization controls (CWE-200: Exposure of Sensitive Information to an Unauthorized Actor), allowing high-privileged users to access CheckUser features and view sensitive investigation data without appropriate scope restrictions. The affected versions 1.45.0 and 1.45.1 fail to properly validate user privileges before exposing sensitive data through the CheckUser interface, likely in logging, IP tracking, or user relationship analysis features that should be restricted to specific administrative roles.

RemediationAI

Upgrade CheckUser to version 1.45.2 or later immediately. The vendor-released patch is available and confirmed to address the authorization control flaw. Administrators should verify the extension version on all deployed Wikimedia installations via Special:Version and apply updates without delay. No workarounds are documented, as the vulnerability requires a code-level authorization fix rather than configuration adjustment. During patching, CheckUser functionality will temporarily be unavailable if the extension is disabled; coordinate with project communities to minimize disruption. The patch should be tested in staging environments first to ensure compatibility with local MediaWiki installations and any custom extensions that depend on CheckUser. For detailed patch information, consult the Phabricator task T411366 referenced in the advisory.

Share

EUVD-2026-29062 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy