Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58024

CVE-2026-58024: MediaWiki Information Disclosure Flaw

CVE-2026-58024 is an information disclosure vulnerability in Wikimedia MediaWiki that exposes sensitive information to unauthorized actors. This post covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-58024 Overview

CVE-2026-58024 is an information disclosure vulnerability in Wikimedia Foundation MediaWiki. The flaw resides in the includes/Api/ApiUserrights.Php module, which handles user rights changes through the MediaWiki API. An authenticated actor with low privileges can trigger the exposure of sensitive information to unauthorized parties [CWE-200]. The issue affects MediaWiki versions prior to 1.46.0, 1.45.4, 1.44.6, and 1.43.9. The vulnerability carries a CVSS 4.0 score of 5.1 (Medium).

Critical Impact

An authenticated attacker with limited privileges can retrieve information through the user rights API that should be restricted to authorized administrators.

Affected Products

  • MediaWiki versions before 1.46.0
  • MediaWiki 1.45.x before 1.45.4, and 1.44.x before 1.44.6
  • MediaWiki 1.43.x before 1.43.9

Discovery Timeline

  • 2026-07-01 - CVE-2026-58024 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-58024

Vulnerability Analysis

The vulnerability exists in the MediaWiki API endpoint implemented by includes/Api/ApiUserrights.Php. This component processes requests that modify or query user rights assignments across the wiki. The implementation fails to enforce adequate access controls on data returned to callers, leading to disclosure of information intended only for privileged users. The Common Weakness Enumeration classification is [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor). Exploitation requires network access to the MediaWiki instance, low-privileged authentication, and user interaction. The confidentiality impact is limited, and integrity and availability are not affected.

Root Cause

The root cause is missing or insufficient authorization checks in the ApiUserrights API handler. The module returns metadata or response fields that leak information about user rights configurations or account attributes without verifying that the requester holds the necessary permissions. Refer to the Wikimedia Task T422085 tracker for maintainer details.

Attack Vector

An authenticated attacker sends crafted requests to the action=userrights API endpoint over the network. The response contains information the attacker should not be able to observe. Because user interaction is required per the CVSS 4.0 vector, exploitation is likely to involve tricking a privileged user into performing an action or occurs in workflows where a second party participates.

No public proof-of-concept code has been verified for this issue. See the Wikimedia Task T422085 for technical context.

Detection Methods for CVE-2026-58024

Indicators of Compromise

  • Unexpected action=userrights API requests originating from low-privileged accounts.
  • Anomalous read patterns against the MediaWiki API from single accounts querying many user identifiers.
  • Web server access log entries showing api.php requests with action=userrights parameters returning HTTP 200 to non-administrator sessions.

Detection Strategies

  • Enable MediaWiki API request logging and correlate ApiUserrights invocations with the calling account's group memberships.
  • Alert when non-admin accounts issue rights-related API queries at volume or against sensitive target accounts.
  • Baseline normal API usage patterns and flag deviations that involve the userrights module.

Monitoring Recommendations

  • Ship MediaWiki application logs, web server logs, and authentication events to a central analytics platform for retention and correlation.
  • Track the installed MediaWiki version across all wiki farms and alert when any instance runs a version below 1.43.9, 1.44.6, 1.45.4, or 1.46.0.
  • Review audit trails for user rights changes and information queries performed shortly after account creation or privilege elevation.

How to Mitigate CVE-2026-58024

Immediate Actions Required

  • Upgrade MediaWiki to a fixed release: 1.46.0, 1.45.4, 1.44.6, or 1.43.9, depending on the branch in use.
  • Audit accounts that recently queried the userrights API and review any unexpected access.
  • Restrict API access at the network layer where operationally feasible until patching completes.

Patch Information

Wikimedia Foundation has released fixed MediaWiki versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. Consult the Wikimedia Task T422085 tracker for maintainer notes and pull the corresponding release from the official MediaWiki distribution channel.

Workarounds

  • Limit API access to authenticated administrators using web server access rules for api.php where practical.
  • Reduce membership in groups that can authenticate to the wiki until the patch is applied.
  • Increase logging verbosity for the API subsystem to support rapid investigation of suspected abuse.
bash
# Configuration example: restrict api.php to authenticated sessions at the web server tier
# Apache example - require authentication in front of the MediaWiki API endpoint
<Location "/w/api.php">
    Require valid-user
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.