BotPasswords can bypass CentralAuth's account lock
Description
Mediawiki 1.31 before 1.31.1, 1.30.1, 1.29.3 and 1.27.5 contains a flaw where BotPasswords can bypass CentralAuth's account lock
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki BotPasswords can bypass CentralAuth's account lock, allowing attackers to use a bot password to circumvent account restrictions in versions before 1.31.1, 1.30.1, 1.29.3, and 1.27.5.
Vulnerability
MediaWiki versions 1.31 before 1.31.1, 1.30.1, 1.29.3, and 1.27.5 contain a flaw in the BotPasswords feature that allows it to bypass CentralAuth's account lock [1][2]. The vulnerability exists when CentralAuth is used to lock an account; normally, the lock prevents all actions, but BotPasswords can still be used to perform actions on behalf of that account.
Exploitation
An attacker who possesses a valid bot password for a locked account can use that password to execute actions as if the account were not locked [1]. The attacker must already have a bot password registered for the target account. No additional privileges or user interaction is required beyond possession of the bot password.
Impact
Successful exploitation allows an attacker to bypass the account lock enforced by CentralAuth, effectively performing actions (such as edits, API calls, etc.) on behalf of a locked account [2]. This undermines the security measure of account locking, potentially leading to unauthorized changes or information disclosure.
Mitigation
Upgrade to fixed versions: MediaWiki 1.31.1, 1.30.1, 1.29.3, or 1.27.5 [2]. Note that MediaWiki 1.29 reached end-of-life in July 2018, so upgrading to a supported branch (1.31 or later) is recommended [2]. Updates are also available via Red Hat OpenShift Container Platform advisories RHSA-2019:3142 and RHSA-2019:3238 for affected deployments [3][4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.27.0, < 1.27.5 | 1.27.5 |
mediawiki/corePackagist | >= 1.29.0, < 1.29.3 | 1.29.3 |
mediawiki/corePackagist | >= 1.30.0, < 1.30.1 | 1.30.1 |
mediawiki/corePackagist | >= 1.31.0, < 1.31.1 | 1.31.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- access.redhat.com/errata/RHSA-2019:3142ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3238ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3813ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-5c6w-f4w2-2grpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0505ghsaADVISORY
- www.debian.org/security/2018/dsa-4301ghsavendor-advisoryx_refsource_DEBIANWEB
- www.securitytracker.com/id/1041695ghsavdb-entryx_refsource_SECTRACKWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2018-0505.yamlghsaWEB
- lists.wikimedia.org/pipermail/wikitech-l/2018-September/090849.htmlghsamailing-listx_refsource_MLISTWEB
- phabricator.wikimedia.org/T194605ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.