CVE-2026-34091 Overview
CVE-2026-34091 is an information disclosure vulnerability in Wikimedia Foundation MediaWiki [CWE-200]. The flaw exposes sensitive information to unauthorized actors over the network without requiring authentication or user interaction. Affected releases include MediaWiki versions prior to 1.43.7, 1.44.4, and 1.45.2.
The vulnerability carries a CVSS 4.0 base score of 5.5 (Medium). The EPSS score is 0.04% with a percentile of 12.116 as of 2026-05-17. No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
Critical Impact
Unauthenticated remote attackers can retrieve sensitive information from MediaWiki instances, potentially aiding reconnaissance and follow-on attacks against wiki platforms.
Affected Products
- MediaWiki versions prior to 1.43.7
- MediaWiki versions prior to 1.44.4
- MediaWiki versions prior to 1.45.2
Discovery Timeline
- 2026-05-11 - CVE-2026-34091 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-34091
Vulnerability Analysis
The vulnerability in MediaWiki allows exposure of sensitive information to an unauthorized actor. The weakness is classified under [CWE-200], which covers situations where a product exposes information to actors not explicitly authorized to access it.
MediaWiki powers Wikipedia and thousands of public and private wikis. Information disclosure flaws in this codebase can leak metadata, restricted page content, user attributes, or internal state that should remain protected.
The Wikimedia Foundation tracks this issue in Wikimedia Task T411305, which contains restricted technical details pending broader patch adoption.
Root Cause
The root cause is improper enforcement of access boundaries in MediaWiki components. The application returns data to requesters who lack authorization to view it. Refer to the Wikimedia Task T411305 for component-specific details.
Attack Vector
The attack vector is network-based with low attack complexity. The CVSS 4.0 vector indicates no privileges and no user interaction are required to trigger the disclosure. An attacker sends crafted requests to an exposed MediaWiki instance and receives sensitive data in the response. Confidentiality impact is rated low, while integrity and availability are unaffected.
No verified proof-of-concept code is publicly available. Operators should consult the upstream advisory for technical details rather than relying on synthetic exploit examples.
Detection Methods for CVE-2026-34091
Indicators of Compromise
- Anomalous request patterns targeting MediaWiki API endpoints such as api.php and index.php with unusual query parameters
- Outbound responses containing data fields not normally exposed to anonymous or low-privilege sessions
- Spikes in unauthenticated traffic from single source IP addresses scraping wiki content
Detection Strategies
- Inventory all MediaWiki deployments and identify instances running versions prior to 1.43.7, 1.44.4, or 1.45.2
- Review web server access logs for repeated requests to MediaWiki API endpoints from unauthenticated clients
- Compare HTTP response sizes and content against baseline behavior for anonymous requests to detect unexpected data leakage
Monitoring Recommendations
- Forward MediaWiki application logs and web server logs to a centralized SIEM for correlation and retention
- Alert on bulk enumeration patterns such as sequential page ID requests or rapid API queries from a single source
- Monitor for changes in MediaWiki configuration files and extensions that could affect access control enforcement
How to Mitigate CVE-2026-34091
Immediate Actions Required
- Upgrade MediaWiki to version 1.43.7, 1.44.4, 1.45.2, or later depending on the deployed branch
- Restrict network exposure of administrative and API endpoints to trusted networks where feasible
- Audit wiki content and user data for evidence of unauthorized access following the disclosure window
Patch Information
The Wikimedia Foundation has released fixed builds in MediaWiki 1.43.7, 1.44.4, and 1.45.2. Patch details and upstream tracking are available in Wikimedia Task T411305. Administrators should follow the official MediaWiki upgrade procedure, including database schema updates via update.php where required.
Workarounds
- Place MediaWiki behind a reverse proxy or web application firewall that can filter abnormal API requests until patching is complete
- Disable or restrict access to non-essential MediaWiki extensions that may broaden the exposed surface
- Require authentication for read access on private or internal wikis using $wgGroupPermissions adjustments
# Example LocalSettings.php hardening for private wikis
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['edit'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
