Skip to main content

MediaWiki WikiLambda EUVDEUVD-2026-41114

| CVE-2026-58517 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-07-01 wikimedia-foundation GHSA-9r5v-wvvq-6v9f
6.9
CVSS 4.0 · Vendor: wikimedia-foundation
Share

Severity by source

Vendor (wikimedia-foundation) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Network-accessible, unauthenticated bypass with no interaction; uniform Low C/I/A impact reflects scoped extension access, not full site compromise.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L

Primary rating from Vendor (wikimedia-foundation).

CVSS VectorVendor: wikimedia-foundation

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 20:02 EUVD
Analysis Generated
Jul 01, 2026 - 18:52 vuln.today

DescriptionCVE.org

Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass.

This issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.

AnalysisAI

Authentication bypass in the Wikimedia Foundation's WikiLambda extension for MediaWiki allows unauthenticated remote attackers to circumvent access controls via improper neutralization of input terminator characters (CWE-288). Affected are all WikiLambda deployments running versions prior to 1.43.9, 1.44.6, and 1.45.4 across the supported MediaWiki release branches. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify MediaWiki instance with WikiLambda enabled
Delivery
Craft HTTP request with input terminator payload
Exploit
Submit request to WikiLambda API endpoint
Execution
Input terminators bypass authentication validation
Persist
Access restricted WikiLambda functions
Impact
Read or manipulate wiki function definitions

Vulnerability AssessmentAI

Exploitation The WikiLambda extension must be installed and enabled on the target MediaWiki instance - sites running core MediaWiki without this extension are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is a fully remote, unauthenticated, low-complexity exploit requiring no user interaction - characteristics that place it at elevated operational priority despite the moderate base score of 6.9. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP request to a WikiLambda-enabled MediaWiki instance, embedding input terminator characters (such as null bytes or newlines) within a parameter processed by the extension's authentication logic. The terminator causes the parser to exit the auth validation routine prematurely via an alternate code path, granting the attacker access to WikiLambda API actions that should require authentication. …
Remediation Upgrade the WikiLambda extension to version 1.43.9 or later on MediaWiki 1.43.x branches, 1.44.6 or later on 1.44.x, or 1.45.4 or later on 1.45.x, per the fix versions stated in the CVE description. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41114 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy