CVE-2026-58033 Overview
CVE-2026-58033 is an information disclosure vulnerability in Wikimedia Foundation MediaWiki. The flaw resides in the includes/Actions/InfoAction.Php component and exposes sensitive information to unauthorized actors. The issue is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
The vulnerability affects MediaWiki releases prior to 1.46.0, 1.45.4, 1.44.6, and 1.43.9. An unauthenticated attacker can reach the vulnerable action over the network, though exploitation requires user interaction. The confidentiality impact is limited, and no integrity or availability impact is reported.
Critical Impact
Unauthenticated network-based access to protected metadata through the MediaWiki InfoAction handler, potentially exposing information that should remain restricted to privileged users.
Affected Products
- Wikimedia Foundation MediaWiki versions before 1.43.9
- Wikimedia Foundation MediaWiki 1.44.x before 1.44.6 and 1.45.x before 1.45.4
- Wikimedia Foundation MediaWiki 1.46.x before 1.46.0
Discovery Timeline
- 2026-07-01 - CVE-2026-58033 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-58033
Vulnerability Analysis
The vulnerability originates in the InfoAction handler at includes/Actions/InfoAction.Php. This handler renders the page information view accessible through the action=info URL parameter on any MediaWiki article. The action assembles metadata about a page, including contributors, protection status, and related administrative details.
The implementation fails to enforce sufficient authorization controls before returning specific metadata fields. As a result, information intended to be restricted to privileged users can be retrieved by unauthenticated visitors. The scope is limited to a low confidentiality impact per the CVSS 4.0 assessment, and the flaw does not permit modification or service disruption.
The MediaWiki development task tracks the underlying fix and code changes. See the Wikimedia Task Description for the maintainer's technical notes.
Root Cause
The root cause is missing or incomplete access-control checks in the InfoAction code path. Fields returned by the action are aggregated without validating whether the requester has permission to view each individual data element. This allows anonymous users to observe metadata that should be gated behind user rights.
Attack Vector
An attacker sends a standard HTTP GET request to a target MediaWiki page with the action=info parameter. The server processes the request through InfoAction.Php and returns metadata in the response body. User interaction is required, consistent with the CVSS UI:P designation, meaning the attacker relies on a user-driven flow such as visiting a crafted link or triggering the info view in a browsing session.
No authentication, credentials, or elevated privileges are needed. The attack requires only network reachability to the MediaWiki instance.
Detection Methods for CVE-2026-58033
Indicators of Compromise
- Unusual volume of HTTP requests containing action=info targeting article pages from unauthenticated sources
- Access log entries showing repeated InfoAction invocations across many page titles in a short window
- Anonymous session User-Agent strings enumerating page info endpoints across the wiki namespace
Detection Strategies
- Review MediaWiki web server access logs for anomalous patterns of action=info requests, especially bulk enumeration by a single client
- Correlate InfoAction requests with the requester's authentication state to identify anonymous access to restricted metadata
- Compare the running MediaWiki version against the fixed releases (1.43.9, 1.44.6, 1.45.4, 1.46.0) to confirm exposure
Monitoring Recommendations
- Enable verbose HTTP request logging on the front-end web server or reverse proxy fronting MediaWiki
- Alert on high-rate access to the action=info endpoint from a single IP or session
- Track MediaWiki Special:Version output to detect drift from the patched release baseline
How to Mitigate CVE-2026-58033
Immediate Actions Required
- Upgrade MediaWiki to 1.46.0, 1.45.4, 1.44.6, or 1.43.9 depending on the deployed release branch
- Audit access logs for prior enumeration of action=info endpoints by unauthenticated clients
- Restrict anonymous access to the wiki at the reverse proxy layer if patching cannot be applied immediately
Patch Information
Wikimedia Foundation has released patched versions across supported branches: 1.46.0, 1.45.4, 1.44.6, and 1.43.9. Details of the underlying task and remediation are available in the Wikimedia Task Description.
Workarounds
- Block or rate-limit requests containing the action=info query parameter at the web server or WAF layer until patching completes
- Require authentication for all page views using the $wgGroupPermissions['*']['read'] = false; configuration to reduce anonymous exposure
- Monitor and throttle unauthenticated traffic to the wiki through reverse proxy access controls
# Configuration example: require login for read access in LocalSettings.php
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = true;
$wgWhitelistRead = array( 'Main Page', 'Special:UserLogin' );
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

