CVE-2026-58026 Overview
CVE-2026-58026 is an information disclosure vulnerability in Wikimedia Foundation MediaWiki. The flaw resides in the includes/Parser/Parser.php component and enables an authenticated actor to obtain sensitive information that should remain restricted. The weakness is categorized under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
The issue affects MediaWiki releases prior to 1.46.0, 1.45.4, 1.44.6, and 1.43.9. Exploitation is network-reachable and requires low privileges plus user interaction. No public proof-of-concept, exploit code, or CISA KEV listing exists for this CVE at publication.
Critical Impact
An authenticated MediaWiki user can trigger the parser to reveal information that access controls should protect, undermining content confidentiality on affected wikis.
Affected Products
- Wikimedia Foundation MediaWiki versions before 1.43.9
- Wikimedia Foundation MediaWiki 1.44.x before 1.44.6 and 1.45.x before 1.45.4
- Wikimedia Foundation MediaWiki 1.46.x before 1.46.0
Discovery Timeline
- 2026-07-01 - CVE-2026-58026 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-58026
Vulnerability Analysis
The vulnerability lives in MediaWiki's core wikitext parser at includes/Parser/Parser.php. The parser transforms user-submitted wikitext into rendered HTML and is responsible for expanding templates, transclusions, and parser functions. When the parser processes specific constructs, it fails to consistently enforce read restrictions on referenced content.
An authenticated actor with low privileges can craft wikitext that causes the parser to include or reveal information the requesting user should not see. Because MediaWiki powers public wikis and private knowledge bases alike, the disclosure surface includes restricted namespaces, protected pages, and template-driven metadata. The vulnerability requires user interaction (UI:P) to trigger the disclosure path.
The EPSS score is 0.382% with a percentile of 30.15, reflecting a low observed probability of near-term exploitation.
Root Cause
The root cause is missing or incomplete authorization checks inside parser code paths that resolve references to other wiki content. Parser routines evaluate transclusions and related directives without validating that the requester holds read permission on the target, producing output that leaks restricted material.
Attack Vector
An attacker authenticates to a vulnerable MediaWiki instance with any account permitted to save or preview wikitext. The attacker submits crafted wikitext that references restricted resources through the parser. When the parser renders the page, sensitive content is returned in the response. See the Wikimedia Task T299359 tracking entry for maintainer context.
No verified public exploit code exists. The vulnerability mechanism is described in prose only; refer to the upstream task for parser-level detail.
Detection Methods for CVE-2026-58026
Indicators of Compromise
- Anomalous edit or preview requests containing unusual template, transclusion, or parser-function chains targeting restricted namespaces.
- Rendered page output that includes content from protected pages accessed by users without corresponding read rights.
- Elevated frequency of preview API calls (action=parse, action=expandtemplates) from a single low-privilege account.
Detection Strategies
- Review MediaWiki access logs for POST requests to api.php invoking parse or expandtemplates with payloads referencing protected titles.
- Correlate authenticated user IDs against the namespaces and titles resolved during parser execution to flag cross-privilege reads.
- Compare rendered HTML output against the requesting user's effective read permissions to identify permission bypass artifacts.
Monitoring Recommendations
- Enable verbose parser and permission logging on production wikis and forward logs to a SIEM for correlation.
- Alert on new or low-reputation accounts submitting complex transclusion payloads shortly after registration.
- Monitor the MediaWiki RecentChanges and AbuseLog feeds for patterns consistent with reconnaissance of restricted namespaces.
How to Mitigate CVE-2026-58026
Immediate Actions Required
- Upgrade MediaWiki to 1.46.0, 1.45.4, 1.44.6, or 1.43.9 depending on the deployed branch.
- Audit user accounts and revoke edit privileges from unused or dormant accounts to reduce the authenticated attack surface.
- Review recent parser output and cached pages for evidence of unauthorized disclosure prior to patching.
Patch Information
Wikimedia Foundation resolved the issue in MediaWiki 1.46.0, 1.45.4, 1.44.6, and 1.43.9. Administrators should apply the fixed release matching their deployment branch. Reference the Wikimedia Task T299359 for maintainer notes on the parser fix.
Workarounds
- Restrict edit and preview capabilities to trusted user groups until the patch is applied.
- Disable or limit anonymous and self-registered account creation on private wikis.
- Purge and regenerate the parser cache after upgrade to remove any pre-patch cached output containing leaked content.
# Upgrade MediaWiki using the maintenance script after applying the patched release
php maintenance/update.php --quick
php maintenance/rebuildall.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

