CVE-2026-58520 Overview
CVE-2026-58520 is an open redirect vulnerability in the Wikimedia Foundation's MediaWiki UrlShortener extension. The flaw is classified under CWE-601 (URL Redirection to Untrusted Site) and enables Cross-Site Flashing attacks. Attackers can craft shortened URLs that redirect victims to attacker-controlled destinations while appearing to originate from a trusted MediaWiki instance.
The issue affects UrlShortener versions prior to 1.43.9, 1.44.6, and 1.45.4. Because the vulnerability requires no authentication, no privileges, and no user interaction beyond clicking a link, it lends itself to phishing campaigns and social engineering operations that abuse the reputation of Wikimedia-hosted sites.
Critical Impact
Attackers can weaponize shortened URLs on trusted MediaWiki hosts to redirect users to malicious sites, enabling phishing and Cross-Site Flashing attacks that bypass URL reputation checks.
Affected Products
- MediaWiki UrlShortener extension versions before 1.43.9
- MediaWiki UrlShortener extension 1.44.x before 1.44.6
- MediaWiki UrlShortener extension 1.45.x before 1.45.4
Discovery Timeline
- 2026-07-01 - CVE-2026-58520 published to the National Vulnerability Database
- 2026-07-01 - Last updated in NVD database
Technical Details for CVE-2026-58520
Vulnerability Analysis
The UrlShortener extension generates short links that resolve to full URLs stored in the MediaWiki database. The vulnerability stems from insufficient validation of redirect destinations returned to the client. An attacker who can influence the target URL associated with a shortened link causes the server to issue an HTTP redirect to an arbitrary external site.
Cross-Site Flashing refers to abusing an open redirect to load attacker-controlled Flash or interactive content in the security context of the trusted origin's referrer chain. While Flash is deprecated, the same class of redirect abuse extends to modern payloads including credential harvesting pages, malware downloads, and OAuth token theft flows.
The attack does not require authentication and executes purely over the network path. Confidentiality, integrity, and availability impacts extend to subsequent systems the user interacts with after the redirect.
Root Cause
The extension fails to enforce an allowlist of trusted redirect targets or to validate that the destination host matches the originating MediaWiki instance's expected domains. Full technical detail is tracked in the Wikimedia Phabricator Task T418431.
Attack Vector
The attacker submits a URL to the shortener endpoint or manipulates an existing entry to point to a malicious host. The attacker then distributes the resulting short link through email, chat, or social media. Victims trusting the MediaWiki domain follow the link and land on an attacker-controlled page. The remediation is documented in the Wikimedia Gerrit Patch I7a59cc4.
Detection Methods for CVE-2026-58520
Indicators of Compromise
- Shortened URLs generated by the UrlShortener extension resolving to external domains outside the wiki's expected redirect scope.
- HTTP 302 or 301 responses from Special:UrlShortener or Special:UrlRedirector endpoints pointing to unfamiliar hosts.
- Spikes in short-link creation from single client IPs or unauthenticated sessions.
Detection Strategies
- Review web server access logs for redirect chains originating from the UrlShortener extension paths.
- Correlate outbound redirect destinations against a maintained allowlist of approved Wikimedia and partner domains.
- Alert on newly created short URLs that resolve to domains registered within the last 30 days.
Monitoring Recommendations
- Ingest MediaWiki access and audit logs into a centralized SIEM for redirect pattern analysis.
- Track referrer headers on downstream properties to identify users arriving from compromised short links.
- Deploy URL reputation scanning on outbound redirect targets before serving them to clients.
How to Mitigate CVE-2026-58520
Immediate Actions Required
- Upgrade the UrlShortener extension to version 1.43.9, 1.44.6, 1.45.4, or later depending on your MediaWiki branch.
- Audit existing shortened URLs in the database for entries pointing to untrusted external domains.
- Purge or disable suspect short links pending manual review.
Patch Information
Wikimedia has published the fix in the Wikimedia Gerrit Patch I7a59cc4. Operators running self-hosted MediaWiki installations must pull the updated extension from the official repository and redeploy. The associated tracking ticket is available at Wikimedia Phabricator Task T418431.
Workarounds
- Restrict short URL creation to authenticated, trusted user groups by adjusting $wgGroupPermissions for the urlshortener-create-url right.
- Configure $wgUrlShortenerAllowedDomains (where supported) to constrain permissible redirect destinations to a defined allowlist.
- Place a reverse proxy in front of MediaWiki to strip or block redirects targeting non-approved domains.
# Configuration example - restrict short URL creation and enforce domain allowlist in LocalSettings.php
$wgGroupPermissions['*']['urlshortener-create-url'] = false;
$wgGroupPermissions['user']['urlshortener-create-url'] = false;
$wgGroupPermissions['sysop']['urlshortener-create-url'] = true;
$wgUrlShortenerAllowedDomains = [
'example.org',
'*.wikipedia.org',
];
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

