CVE-2026-58036 Overview
CVE-2026-58036 is an information disclosure vulnerability in Wikimedia Foundation MediaWiki. The flaw exposes sensitive information to unauthorized actors through the API and permissions layer. Affected components include includes/Api/ApiQueryAllUsers.php, includes/Api/ApiQueryUsers.php, includes/Permissions/PermissionManager.php, and includes/User/UserGroupManager.php. The weakness is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. An authenticated attacker with low privileges can query MediaWiki APIs to enumerate user information that should remain restricted.
Critical Impact
Low-privileged authenticated users can retrieve sensitive user or group information via MediaWiki API endpoints, aiding reconnaissance against wiki communities.
Affected Products
- Wikimedia Foundation MediaWiki - includes/Api/ApiQueryAllUsers.php
- Wikimedia Foundation MediaWiki - includes/Api/ApiQueryUsers.php
- Wikimedia Foundation MediaWiki - includes/Permissions/PermissionManager.php and includes/User/UserGroupManager.php
Discovery Timeline
- 2026-07-01 - CVE-2026-58036 published to NVD
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-58036
Vulnerability Analysis
The vulnerability resides in MediaWiki's API query modules that expose user metadata. Endpoints such as ApiQueryAllUsers and ApiQueryUsers return account details that the permissions layer should filter based on the requester's rights. The permission checks implemented in PermissionManager.php and UserGroupManager.php fail to correctly restrict certain fields to authorized viewers. As a result, a user with low privileges can retrieve details intended for privileged operators. The EPSS probability of 0.239% indicates limited near-term exploitation likelihood, but the reconnaissance value remains meaningful for community-facing wikis.
Root Cause
The root cause is missing or incorrect authorization checks within the affected API and permission classes. When a client issues a query, the module returns user or group data without validating whether the requester holds the rights needed to view protected fields. This is a classic [CWE-200] pattern where output filtering is decoupled from authorization state.
Attack Vector
Exploitation requires network access to a MediaWiki instance and low-privileged authentication. The attacker sends crafted action=query requests to api.php targeting the allusers or users list modules with parameters that trigger the vulnerable code paths. User interaction is described in the CVSS vector as passive, meaning the attacker relies on standard workflows rather than social engineering. See the Wikimedia Task T425406 advisory for technical details.
No verified public exploit code is available at this time. Refer to the vendor advisory for the exact request patterns and remediated behavior.
Detection Methods for CVE-2026-58036
Indicators of Compromise
- Repeated action=query&list=allusers or action=query&list=users requests from a single authenticated account enumerating large user ranges.
- API responses returning group or block metadata to accounts that do not hold the userrights or equivalent permission.
- Unusual growth in api.log entries referencing ApiQueryAllUsers or ApiQueryUsers from newly registered accounts.
Detection Strategies
- Baseline normal MediaWiki API usage per account and alert on anomalies in query volume against user list endpoints.
- Inspect application logs for authenticated sessions requesting user fields such as groups, rights, or blockinfo beyond their entitlement.
- Correlate API queries with subsequent targeted actions such as harassment, spam, or credential stuffing against enumerated accounts.
Monitoring Recommendations
- Forward MediaWiki api.log and web server access logs to a centralized analytics platform for continuous review.
- Track per-user query rates against ApiQueryAllUsers and ApiQueryUsers and flag deviations from historical norms.
- Monitor privilege-related fields in API responses to confirm the patched behavior after remediation.
How to Mitigate CVE-2026-58036
Immediate Actions Required
- Apply the MediaWiki security release referenced in Wikimedia Task T425406 as soon as it is available for your branch.
- Audit recent API activity for the affected endpoints and identify accounts that queried user metadata beyond their role.
- Restrict API access to authenticated users only and disable anonymous querying of user lists where policy allows.
Patch Information
The Wikimedia Foundation tracks the fix under Phabricator task T425406. Administrators should upgrade to the corrected MediaWiki release for their maintained branch. Confirm that the patched versions of ApiQueryAllUsers.php, ApiQueryUsers.php, PermissionManager.php, and UserGroupManager.php are deployed.
Workarounds
- Configure $wgGroupPermissions to remove the read or apihighlimits rights from untrusted user groups until the patch is applied.
- Use $wgHiddenPrefs and rate-limiting configuration to reduce the volume of user data returned by the API.
- Place the wiki behind an authenticated reverse proxy that restricts access to api.php for known user groups only.
# Configuration example - restrict anonymous API user enumeration in LocalSettings.php
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgAPIListModules['allusers'] = 'ApiQueryDisabled';
$wgAPIListModules['users'] = 'ApiQueryDisabled';
$wgRateLimits['querypage']['user'] = [ 10, 60 ];
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

