CVE-2019-16738
Description
In MediaWiki through 1.33.0, Special:Redirect allows information disclosure of suppressed usernames via a User ID Lookup.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MediaWiki Special:Redirect discloses suppressed usernames via user ID lookup, allowing enumeration of hidden accounts.
Root
Cause The vulnerability lies in the Special:Redirect page, specifically the /user/NNN path. When a user ID is provided, the code redirects to the corresponding user page without checking whether the user account has been suppressed (hidden) [1]. This oversight allows any user, including unauthenticated ones, to discover the username associated with a suppressed user ID.
Exploitation
An attacker can exploit this by enumerating user IDs through Special:Redirect or by directly linking to [[Special:Redirect/user/SUPPRESSED_USER_ID]] [1]. The attacker does not need any special privileges; they only need to guess or iterate through user IDs. The redirect will succeed, revealing the suppressed username.
Impact
Successful exploitation leads to information disclosure of suppressed usernames. Suppressed accounts are typically hidden for privacy or legal reasons, and their exposure undermines the intended confidentiality [2]. This can be used to identify users who have been hidden, potentially leading to further targeted attacks.
Mitigation
The issue was fixed in MediaWiki by adding a check for the user's suppressed status before performing the redirect [1]. Users should upgrade to a patched version (e.g., 1.33.1 or later) to prevent this information disclosure. The vulnerability is considered a hardening measure, but it is important to apply the patch to maintain the integrity of user suppression [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mediawiki/corePackagist | >= 1.31.0, < 1.31.4 | 1.31.4 |
mediawiki/corePackagist | >= 1.32.0, < 1.32.4 | 1.32.4 |
mediawiki/corePackagist | >= 1.33.0, < 1.33.1 | 1.33.1 |
Affected products
6cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- phabricator.wikimedia.org/T230402nvdExploitIssue TrackingPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-7hwr-f745-5rwqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16738ghsaADVISORY
- seclists.org/bugtraq/2019/Oct/32nvdMailing ListThird Party AdvisoryWEB
- www.debian.org/security/2019/dsa-4545nvdThird Party AdvisoryWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/mediawiki/core/CVE-2019-16738.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OMG3BMUHGWTAPYTK2NXM6CXF6FYLOUOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7OMG3BMUHGWTAPYTK2NXM6CXF6FYLOUO/nvdBroken Link
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QBAOLXETM5BOYQG6OQVHGB2LNLZUXVN6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QBAOLXETM5BOYQG6OQVHGB2LNLZUXVN6/nvdBroken Link
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OMG3BMUHGWTAPYTK2NXM6CXF6FYLOUOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QBAOLXETM5BOYQG6OQVHGB2LNLZUXVN6ghsaWEB
News mentions
0No linked articles in our index yet.