Primary

Context

Wikimedia Foundation Echo Exposure of Sensitive Information Vulnerability

Vulnerability

A vulnerability in the Wikimedia Foundation Echo extension allows any OAuth tool or BotPassword to access a user's notifications without the necessary permissions. This issue affects Echo versions prior to 1.43.7, 1.44.4, and 1.45.2. The notifications API can inadvertently expose private information, such as email subject lines or acknowledgments.

Impact

The vulnerability could lead to unauthorized access to user notifications, potentially exposing private information.

Remediation

A new user right grant called 'echo-read-notifications' has been created and is now available to all users. Tools that need access to user notifications must request this grant.

Added: May 11, 2026, 6:54 PM

Updated: May 11, 2026, 6:54 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.6

remediation

0.0

relevance

8.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.6

remediation

0.0

relevance

8.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Wikimedia Foundation Echo Exposure of Sensitive Information Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Wikimedia Foundation Echo

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating