CVE-2019-12474
Description
Wikimedia MediaWiki 1.23.0 through 1.32.1 has an information leak. Privileged API responses that include whether a recent change has been patrolled may be cached publicly. Fixed in 1.32.2, 1.31.2, 1.30.2 and 1.27.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki information leak: privileged API responses indicating whether a recent change is patrolled may be cached publicly, undoing access controls.
Vulnerability
Details
CVE-2019-12474 is an information disclosure vulnerability in Wikimedia MediaWiki versions 1.23.0 through 1.32.1. The issue occurs in the ApiQueryRecentChanges module, which returns information about recent edits. When a user requests to filter results by patrol status (e.g., patrolled, !patrolled, unpatrolled, autopatrolled, !autopatrolled), the API correctly restricts such queries to users with the patrol or patrolmarks permission. However, the getCacheMode() method fails to set the cache to private for these parameter values, meaning the response may be stored in a shared or public cache [1].
Exploitation and
Attack Surface
An attacker does not need any authentication to exploit this vulnerability. By crafting an API request that includes a patrol-filtering parameter (such as show=!patrolled), the attacker can trigger a response that, if cached publicly, can be retrieved by any user without the required permissions. The attack requires that the MediaWiki instance uses a shared caching layer (e.g., Varnish, Squid) or that the responses are cached by an intermediate proxy. Once cached, the privileged information becomes accessible to anyone who can query the cached resource [2].
Impact
Successful exploitation leaks information about which recent changes have been patrolled or not patrolled (including autopatrolled status). This reveals editorial workflow details, such as which edits have been reviewed and possibly by whom. While the impact is limited to metadata, it breaks the intended access control and can aid attackers in targeting unpatrolled edits or identifying trusted editors [1][3].
Mitigation
The vulnerability was fixed in MediaWiki 1.32.2, 1.31.2, 1.30.2, and 1.27.6 by including the missing private cache mode for all patrol-related filter parameters [1][2][3]. Users still running versions 1.23.0 through 1.32.1 should upgrade immediately. No workaround is available besides disabling caching or restricting access to the API entirely; however, the safest course is to apply the security patch [4].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.27.0, < 1.27.6 | 1.27.6 |
mediawiki/corePackagist | >= 1.30.0, < 1.30.2 | 1.30.2 |
mediawiki/corePackagist | >= 1.31.0, < 1.31.2 | 1.31.2 |
mediawiki/corePackagist | >= 1.32.0, < 1.32.2 | 1.32.2 |
Affected products
2- Wikimedia/MediaWikidescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-2qrr-c2gh-pr35ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-12474ghsaADVISORY
- www.debian.org/security/2019/dsa-4460ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-12474.yamlghsaWEB
- lists.wikimedia.org/pipermail/wikitech-l/2019-June/092152.htmlghsax_refsource_CONFIRMWEB
- phabricator.wikimedia.org/T212118ghsax_refsource_MISCWEB
- seclists.org/bugtraq/2019/Jun/12ghsamailing-listx_refsource_BUGTRAQWEB
News mentions
0No linked articles in our index yet.