CVE-2026-34094 Mediawiki CVE debrief

Who should care

Wikimedia Foundation MediaWiki operators and administrators running affected versions, especially environments where privileged users can access page editing or article-handling workflows.

Technical summary

NVD identifies the issue as a vulnerability in MediaWiki associated with program file includes/Page/Article.php. The record maps it to CWE-668 and lists affected version ranges as all versions before 1.43.7, 1.44.0 through before 1.44.4, and 1.45.0 through before 1.45.2. The CVSS v4.0 vector indicates network access, high attack complexity, required privileges, partial user interaction, and low confidentiality impact.

Defensive priority

Routine patch priority. Apply the fixed release for your branch during the next maintenance window, with higher urgency for internet-facing deployments or systems that expose privileged MediaWiki workflows to many users.

Recommended defensive actions

• Upgrade MediaWiki to 1.43.7, 1.44.4, 1.45.2, or a later fixed release in your supported branch.
• Review Wikimedia Phabricator issue T416090 for vendor guidance and patch context.
• Inventory all MediaWiki instances to confirm whether any affected version branches are deployed.
• Validate the upgrade in a staging environment before production rollout.
• Record the remediation in your vulnerability management and patch tracking process.

Evidence notes

This debrief is based only on the supplied NVD record and the linked Wikimedia Phabricator reference. The version ranges, CVSS characteristics, and CWE mapping come from the official NVD metadata; the vendor reference is T416090. No exploit details are included because none were provided in the source corpus.

Official resources