Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-58036

CVE-2026-58036: MediaWiki Information Disclosure Flaw

CVE-2026-58036 is an information disclosure vulnerability in Wikimedia Foundation MediaWiki that exposes sensitive information to unauthorized actors. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-58036 Overview

CVE-2026-58036 is an information disclosure vulnerability in Wikimedia Foundation MediaWiki. The flaw exposes sensitive information to unauthorized actors through the API and permissions layer. Affected components include includes/Api/ApiQueryAllUsers.php, includes/Api/ApiQueryUsers.php, includes/Permissions/PermissionManager.php, and includes/User/UserGroupManager.php. The weakness is classified under [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. An authenticated attacker with low privileges can query MediaWiki APIs to enumerate user information that should remain restricted.

Critical Impact

Low-privileged authenticated users can retrieve sensitive user or group information via MediaWiki API endpoints, aiding reconnaissance against wiki communities.

Affected Products

  • Wikimedia Foundation MediaWiki - includes/Api/ApiQueryAllUsers.php
  • Wikimedia Foundation MediaWiki - includes/Api/ApiQueryUsers.php
  • Wikimedia Foundation MediaWiki - includes/Permissions/PermissionManager.php and includes/User/UserGroupManager.php

Discovery Timeline

  • 2026-07-01 - CVE-2026-58036 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-58036

Vulnerability Analysis

The vulnerability resides in MediaWiki's API query modules that expose user metadata. Endpoints such as ApiQueryAllUsers and ApiQueryUsers return account details that the permissions layer should filter based on the requester's rights. The permission checks implemented in PermissionManager.php and UserGroupManager.php fail to correctly restrict certain fields to authorized viewers. As a result, a user with low privileges can retrieve details intended for privileged operators. The EPSS probability of 0.239% indicates limited near-term exploitation likelihood, but the reconnaissance value remains meaningful for community-facing wikis.

Root Cause

The root cause is missing or incorrect authorization checks within the affected API and permission classes. When a client issues a query, the module returns user or group data without validating whether the requester holds the rights needed to view protected fields. This is a classic [CWE-200] pattern where output filtering is decoupled from authorization state.

Attack Vector

Exploitation requires network access to a MediaWiki instance and low-privileged authentication. The attacker sends crafted action=query requests to api.php targeting the allusers or users list modules with parameters that trigger the vulnerable code paths. User interaction is described in the CVSS vector as passive, meaning the attacker relies on standard workflows rather than social engineering. See the Wikimedia Task T425406 advisory for technical details.

No verified public exploit code is available at this time. Refer to the vendor advisory for the exact request patterns and remediated behavior.

Detection Methods for CVE-2026-58036

Indicators of Compromise

  • Repeated action=query&list=allusers or action=query&list=users requests from a single authenticated account enumerating large user ranges.
  • API responses returning group or block metadata to accounts that do not hold the userrights or equivalent permission.
  • Unusual growth in api.log entries referencing ApiQueryAllUsers or ApiQueryUsers from newly registered accounts.

Detection Strategies

  • Baseline normal MediaWiki API usage per account and alert on anomalies in query volume against user list endpoints.
  • Inspect application logs for authenticated sessions requesting user fields such as groups, rights, or blockinfo beyond their entitlement.
  • Correlate API queries with subsequent targeted actions such as harassment, spam, or credential stuffing against enumerated accounts.

Monitoring Recommendations

  • Forward MediaWiki api.log and web server access logs to a centralized analytics platform for continuous review.
  • Track per-user query rates against ApiQueryAllUsers and ApiQueryUsers and flag deviations from historical norms.
  • Monitor privilege-related fields in API responses to confirm the patched behavior after remediation.

How to Mitigate CVE-2026-58036

Immediate Actions Required

  • Apply the MediaWiki security release referenced in Wikimedia Task T425406 as soon as it is available for your branch.
  • Audit recent API activity for the affected endpoints and identify accounts that queried user metadata beyond their role.
  • Restrict API access to authenticated users only and disable anonymous querying of user lists where policy allows.

Patch Information

The Wikimedia Foundation tracks the fix under Phabricator task T425406. Administrators should upgrade to the corrected MediaWiki release for their maintained branch. Confirm that the patched versions of ApiQueryAllUsers.php, ApiQueryUsers.php, PermissionManager.php, and UserGroupManager.php are deployed.

Workarounds

  • Configure $wgGroupPermissions to remove the read or apihighlimits rights from untrusted user groups until the patch is applied.
  • Use $wgHiddenPrefs and rate-limiting configuration to reduce the volume of user data returned by the API.
  • Place the wiki behind an authenticated reverse proxy that restricts access to api.php for known user groups only.
bash
# Configuration example - restrict anonymous API user enumeration in LocalSettings.php
$wgGroupPermissions['*']['read'] = false;
$wgGroupPermissions['*']['createaccount'] = false;
$wgAPIListModules['allusers'] = 'ApiQueryDisabled';
$wgAPIListModules['users']    = 'ApiQueryDisabled';
$wgRateLimits['querypage']['user'] = [ 10, 60 ];

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.