CVE-2026-34095 Overview
CVE-2026-34095 affects Wikimedia Foundation MediaWiki, a widely deployed open-source wiki platform powering Wikipedia and thousands of public and private knowledge bases. The vulnerability resides in the program files includes/Actions/ActionEntryPoint.php and includes/Request/FauxResponse.php. It is classified under [CWE-668]: Exposure of Resource to Wrong Sphere.
The issue affects MediaWiki versions before 1.43.7, 1.44.4, and 1.45.2. Exploitation requires high-privilege access over a network vector, and current scoring indicates no direct confidentiality, integrity, or availability impact on the vulnerable system.
Critical Impact
The flaw exposes internal MediaWiki resources across protection boundaries through the action entry point and response handling components, requiring authenticated high-privilege access to reach.
Affected Products
- MediaWiki versions prior to 1.43.7
- MediaWiki versions prior to 1.44.4
- MediaWiki versions prior to 1.45.2
Discovery Timeline
- 2026-05-11 - CVE-2026-34095 published to the National Vulnerability Database
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-34095
Vulnerability Analysis
The vulnerability sits in two core MediaWiki components: ActionEntryPoint.php, which dispatches user actions to the appropriate handlers, and FauxResponse.php, which represents simulated HTTP responses used internally by the framework. Improper handling within these files allows resources or response state to cross sphere boundaries that should remain isolated.
[CWE-668] describes weaknesses where a resource is made available to an actor outside the control sphere intended by the developer. In MediaWiki's case, this typically manifests as headers, cookies, or response artifacts leaking between request contexts when the faux response object is reused or improperly scoped.
The EPSS score of 0.027% places this issue in a low-probability exploitation tier, consistent with the high-privilege prerequisite and the absence of public proof-of-concept code.
Root Cause
The root cause lies in inadequate boundary enforcement between request and response objects within MediaWiki's action dispatch pipeline. When ActionEntryPoint.php invokes handlers that produce a FauxResponse, response state is not consistently isolated from the outer request, allowing cross-context exposure.
Attack Vector
The attack vector is network-based and requires authenticated access with high privileges on the target MediaWiki instance. No user interaction is required. An attacker leveraging an administrative or equivalent privileged account can trigger the affected code paths through crafted action requests.
Verified exploitation code is not publicly available. See the Wikimedia Task T419192 advisory for upstream technical details.
Detection Methods for CVE-2026-34095
Indicators of Compromise
- Unexpected HTTP response headers or cookies originating from MediaWiki action endpoints handled by ActionEntryPoint.php.
- Anomalous reuse of authenticated administrative sessions issuing repeated action requests against internal MediaWiki endpoints.
- Log entries showing privileged users invoking uncommon action= parameters in close succession.
Detection Strategies
- Audit MediaWiki access logs for high-privilege accounts performing unusual action dispatch sequences against the affected entry point.
- Compare deployed MediaWiki version against 1.43.7, 1.44.4, and 1.45.2 to identify vulnerable installations across the environment.
- Monitor outbound responses for header or cookie anomalies that suggest cross-context response state leakage.
Monitoring Recommendations
- Enable verbose request logging on MediaWiki front-end servers and forward logs to a centralized SIEM for correlation.
- Alert on privilege escalations or new administrator account creation events that could precede exploitation.
- Track changes to MediaWiki configuration files and the includes/Actions and includes/Request directories for unauthorized modification.
How to Mitigate CVE-2026-34095
Immediate Actions Required
- Upgrade MediaWiki to version 1.43.7, 1.44.4, or 1.45.2 or later depending on your current branch.
- Inventory all MediaWiki deployments, including internal wikis and developer instances, and prioritize patching for internet-exposed sites.
- Review and tighten administrative account access, enforcing multi-factor authentication for all privileged users.
Patch Information
Wikimedia Foundation has published fixes in MediaWiki releases 1.43.7, 1.44.4, and 1.45.2. Refer to the Wikimedia Task T419192 advisory for the full patch reference and release notes.
Workarounds
- Restrict administrative actions to trusted IP ranges using web server access controls until patching is complete.
- Rotate credentials for high-privilege MediaWiki accounts to reduce the window of opportunity for an authenticated attacker.
- Place MediaWiki behind a web application firewall configured to inspect action= parameters and block anomalous administrative requests.
# Example: upgrade MediaWiki to a fixed release using the maintenance script
cd /var/www/mediawiki
git fetch --tags
git checkout 1.45.2
php maintenance/update.php --quick
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
