CVE-2026-34087 Overview
CVE-2026-34087 is an information disclosure vulnerability [CWE-200] in the Wikimedia Foundation OATHAuth extension for MediaWiki. The OATHAuth extension provides two-factor authentication (2FA) capabilities to MediaWiki installations. The flaw allows an authenticated actor to access sensitive information that should be restricted, undermining the confidentiality guarantees of the 2FA workflow.
The issue affects OATHAuth versions before 1.43.7, 1.44.4, and 1.45.2. Exploitation requires network access and low privileges, with some user interaction.
Critical Impact
An authenticated attacker can retrieve sensitive OATHAuth data over the network, weakening the confidentiality of MediaWiki's two-factor authentication mechanism.
Affected Products
- MediaWiki OATHAuth extension versions before 1.43.7
- MediaWiki OATHAuth extension versions before 1.44.4
- MediaWiki OATHAuth extension versions before 1.45.2
Discovery Timeline
- 2026-05-11 - CVE-2026-34087 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-34087
Vulnerability Analysis
The vulnerability is classified under [CWE-200]: Exposure of Sensitive Information to an Unauthorized Actor. OATHAuth handles One-Time Password (OTP) shared secrets, recovery codes, and related two-factor enrollment metadata. A defect in the extension permits an actor without the appropriate authorization to view information that should remain restricted to the owning user or privileged administrators.
The attack is conducted over the network against a MediaWiki instance running a vulnerable OATHAuth version. The attacker must hold a low-privilege account and induce limited user interaction to complete the disclosure path. Confidentiality of OATHAuth data is impacted; integrity and availability are not affected.
Root Cause
The root cause is an authorization or output-filtering gap within OATHAuth that returns sensitive 2FA-related fields to an actor who does not meet the required permission level. The Wikimedia Phabricator task T412061 tracks the fix across the 1.43, 1.44, and 1.45 release branches.
Attack Vector
An authenticated attacker interacts with the MediaWiki application over HTTP/HTTPS and triggers the affected OATHAuth code path. Because the attack requires only low privileges that any registered wiki user may hold, large MediaWiki deployments with open registration are exposed to a broader pool of potential abusers.
No verified public proof-of-concept is available. Refer to the Wikimedia Phabricator Task T412061 for vendor-tracked technical details.
Detection Methods for CVE-2026-34087
Indicators of Compromise
- Unexpected access patterns to OATHAuth-related API endpoints or special pages from low-privilege accounts.
- Repeated authenticated requests to OATHAuth views from a single account targeting multiple users.
- Anomalous reads of OATHAuth database tables outside normal administrative workflows.
Detection Strategies
- Audit MediaWiki access logs for unusual requests to OATHAuth endpoints, paying attention to non-administrative accounts.
- Correlate authentication events with subsequent OATHAuth queries to identify reconnaissance against 2FA-enabled users.
- Inventory MediaWiki extensions and flag installations running OATHAuth versions earlier than 1.43.7, 1.44.4, or 1.45.2.
Monitoring Recommendations
- Forward MediaWiki web and application logs to a centralized SIEM for retention and correlation.
- Alert on spikes in 4xx/5xx responses originating from OATHAuth routes, which may indicate probing.
- Track changes to the OATHAuth database tables and 2FA enrollment status for all privileged accounts.
How to Mitigate CVE-2026-34087
Immediate Actions Required
- Upgrade the OATHAuth extension to 1.43.7, 1.44.4, or 1.45.2 depending on your MediaWiki branch.
- Review the Wikimedia Phabricator Task T412061 for the authoritative fix details and release notes.
- Audit privileged accounts and rotate 2FA enrollments for any users whose OATHAuth data may have been exposed.
Patch Information
Wikimedia Foundation has released fixed versions of OATHAuth in the 1.43.7, 1.44.4, and 1.45.2 release lines. Apply the update that matches your supported MediaWiki LTS or stable branch. The Phabricator task T412061 is the canonical reference for the patched code paths.
Workarounds
- Restrict account creation on public MediaWiki instances to reduce the pool of low-privilege actors that can reach the vulnerable code path.
- Limit network exposure of administrative MediaWiki interfaces to trusted networks or VPN access until patching is complete.
- Temporarily tighten user-group permissions that grant access to OATHAuth-related views until the upgrade is deployed.
# Verify the installed OATHAuth version on a MediaWiki host
php maintenance/showJobs.php --version
grep -R "OATHAuth" extensions/OATHAuth/extension.json | grep version
# Update using Git for a typical MediaWiki deployment
cd extensions/OATHAuth
git fetch --tags
git checkout 1.45.2 # or 1.44.4 / 1.43.7 matching your MediaWiki branch
php ../../maintenance/update.php --quick
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
