Primary

Context

Wikimedia MediaWiki CentralAuth Extension Resource Leak Vulnerability

Vulnerability

A vulnerability in the Wikimedia Foundation's MediaWiki CentralAuth Extension allows for the improper removal of sensitive information, such as email addresses, before storage or transfer. This issue leads to a resource leak by exposing residual sensitive data. The vulnerability affects non-release branches of the CentralAuth Extension.

Impact

Exploitation of this vulnerability could result in the unintended exposure of user email addresses and other sensitive information, such as password data, from the global user database to local wiki databases.

Reproduction

The vulnerability can be reproduced by initiating a global account vanishing process for a user. This process is supposed to remove the user's email from all databases. However, the email remains in the local user table of individual wikis, creating a discrepancy and potential information leak.

Remediation

The vulnerability has been addressed in version 1.46.0-wmf.16 of the MediaWiki CentralAuth Extension.

Added: Apr 7, 2026, 11:15 PM

Updated: Apr 7, 2026, 11:15 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.7

remediation

0.0

relevance

5.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.7

remediation

0.0

relevance

5.4

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wikimedia MediaWiki CentralAuth Extension Resource Leak Vulnerability

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating