Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58033

CVE-2026-58033: MediaWiki Information Disclosure Flaw

CVE-2026-58033 is an information disclosure vulnerability in Wikimedia MediaWiki that exposes sensitive data to unauthorized actors. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-58033 Overview

CVE-2026-58033 is an information disclosure vulnerability in Wikimedia Foundation MediaWiki. The flaw resides in the includes/Actions/InfoAction.Php component and exposes sensitive information to unauthorized actors. The issue is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.

The vulnerability affects MediaWiki releases prior to 1.46.0, 1.45.4, 1.44.6, and 1.43.9. An unauthenticated attacker can reach the vulnerable action over the network, though exploitation requires user interaction. The confidentiality impact is limited, and no integrity or availability impact is reported.

Critical Impact

Unauthenticated network-based access to protected metadata through the MediaWiki InfoAction handler, potentially exposing information that should remain restricted to privileged users.

Affected Products

  • Wikimedia Foundation MediaWiki versions before 1.43.9
  • Wikimedia Foundation MediaWiki 1.44.x before 1.44.6 and 1.45.x before 1.45.4
  • Wikimedia Foundation MediaWiki 1.46.x before 1.46.0

Discovery Timeline

  • 2026-07-01 - CVE-2026-58033 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-58033

Vulnerability Analysis

The vulnerability originates in the InfoAction handler at includes/Actions/InfoAction.Php. This handler renders the page information view accessible through the action=info URL parameter on any MediaWiki article. The action assembles metadata about a page, including contributors, protection status, and related administrative details.

The implementation fails to enforce sufficient authorization controls before returning specific metadata fields. As a result, information intended to be restricted to privileged users can be retrieved by unauthenticated visitors. The scope is limited to a low confidentiality impact per the CVSS 4.0 assessment, and the flaw does not permit modification or service disruption.

The MediaWiki development task tracks the underlying fix and code changes. See the Wikimedia Task Description for the maintainer's technical notes.

Root Cause

The root cause is missing or incomplete access-control checks in the InfoAction code path. Fields returned by the action are aggregated without validating whether the requester has permission to view each individual data element. This allows anonymous users to observe metadata that should be gated behind user rights.

Attack Vector

An attacker sends a standard HTTP GET request to a target MediaWiki page with the action=info parameter. The server processes the request through InfoAction.Php and returns metadata in the response body. User interaction is required, consistent with the CVSS UI:P designation, meaning the attacker relies on a user-driven flow such as visiting a crafted link or triggering the info view in a browsing session.

No authentication, credentials, or elevated privileges are needed. The attack requires only network reachability to the MediaWiki instance.

Detection Methods for CVE-2026-58033

Indicators of Compromise

  • Unusual volume of HTTP requests containing action=info targeting article pages from unauthenticated sources
  • Access log entries showing repeated InfoAction invocations across many page titles in a short window
  • Anonymous session User-Agent strings enumerating page info endpoints across the wiki namespace

Detection Strategies

  • Review MediaWiki web server access logs for anomalous patterns of action=info requests, especially bulk enumeration by a single client
  • Correlate InfoAction requests with the requester's authentication state to identify anonymous access to restricted metadata
  • Compare the running MediaWiki version against the fixed releases (1.43.9, 1.44.6, 1.45.4, 1.46.0) to confirm exposure

Monitoring Recommendations

  • Enable verbose HTTP request logging on the front-end web server or reverse proxy fronting MediaWiki
  • Alert on high-rate access to the action=info endpoint from a single IP or session
  • Track MediaWiki Special:Version output to detect drift from the patched release baseline

How to Mitigate CVE-2026-58033

Immediate Actions Required

  • Upgrade MediaWiki to 1.46.0, 1.45.4, 1.44.6, or 1.43.9 depending on the deployed release branch
  • Audit access logs for prior enumeration of action=info endpoints by unauthenticated clients
  • Restrict anonymous access to the wiki at the reverse proxy layer if patching cannot be applied immediately

Patch Information

Wikimedia Foundation has released patched versions across supported branches: 1.46.0, 1.45.4, 1.44.6, and 1.43.9. Details of the underlying task and remediation are available in the Wikimedia Task Description.

Workarounds

  • Block or rate-limit requests containing the action=info query parameter at the web server or WAF layer until patching completes
  • Require authentication for all page views using the $wgGroupPermissions['*']['read'] = false; configuration to reduce anonymous exposure
  • Monitor and throttle unauthenticated traffic to the wiki through reverse proxy access controls
bash
# Configuration example: require login for read access in LocalSettings.php
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['user']['read'] = true;
$wgWhitelistRead = array( 'Main Page', 'Special:UserLogin' );

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.