Medium severity5.3NVD Advisory· Published May 11, 2026· Updated May 18, 2026

CVE-2026-34093

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki.

This vulnerability is associated with program files includes/Specials/SpecialUserRights.Php.

This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

MediaWiki SpecialUserRights.php exposes sensitive information to unauthorized actors in versions before 1.43.7, 1.44.4, 1.45.2.

Vulnerability

Overview CVE-2026-34093 describes an information exposure vulnerability in MediaWiki's SpecialUserRights page. The flaw exists in the file includes/Specials/SpecialUserRights.php, which improperly handles access controls, allowing an unauthorized actor to obtain sensitive information [1].

Exploitation

An attacker with network access to the MediaWiki instance can exploit this by crafting a request to the SpecialUserRights endpoint. No authentication is required, but the attacker must be able to send HTTP requests to the vulnerable page. The vulnerability is classified as medium severity with a CVSS v3 score of 5.3, indicating relatively easy exploitation [1].

Impact

Successful exploitation leads to the exposure of sensitive information, which may include user rights details or other internal data. This information could aid further attacks or violate user privacy.

Mitigation

The Wikimedia Foundation has released patches in MediaWiki versions 1.43.7, 1.44.4, and 1.45.2. Users are advised to upgrade to these or later versions to remediate the issue. No workarounds are documented.

References

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Wikimedia Foundation/Mediawikiinferred
Range: <1.43.7, >=1.44.0,<1.44.4, >=1.45.0,<1.45.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

phabricator.wikimedia.org/T414547nvdIssue TrackingVendor AdvisoryPermissions Required

News mentions

Debian 13.5 point release lands with security fixes, bug patches
Help Net Security · May 17, 2026

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000