PatchSiren cyber security CVE debrief
CVE-2026-13707 Wikimedia Foundation CVE debrief
A session fixation vulnerability was found in the Wikimedia Foundation OAuth, affecting MediaWiki versions from * through 1.46.0, 1.45.4, 1.44.6, and 1.43.9. This issue is associated with program files src/Backend/MWOAuthServer.Php. The vulnerability allows an attacker to fixate a user's session, potentially leading to unauthorized access. Administrators and users of MediaWiki installations, particularly those using affected versions, should be aware of this vulnerability and take necessary actions to protect their systems. The CVE record was published on 2026-07-01T16:16:31.743Z and was last modified on 2026-07-13T15:29:34.090Z.
- Vendor
- Wikimedia Foundation
- Product
- OAuth
- CVSS
- NONE
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-01
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-01
- Advisory updated
- 2026-07-13
Who should care
Administrators and users of MediaWiki installations, particularly those using affected versions, should be aware of this vulnerability and take necessary actions to protect their systems. This includes reviewing and monitoring user sessions, implementing additional security measures such as two-factor authentication, and ensuring that MediaWiki is updated to a version that is not affected by this vulnerability.
Technical summary
The session fixation vulnerability in Wikimedia Foundation OAuth allows an attacker to fixate a user's session, potentially leading to unauthorized access. This issue is associated with the MWOAuthServer.Php file and affects various MediaWiki versions from * through 1.46.0, 1.45.4, 1.44.6, and 1.43.9. The vulnerability can be mitigated by updating MediaWiki to a non-affected version and implementing additional security measures.
Defensive priority
High
Recommended defensive actions
- Update MediaWiki to a version that is not affected by this vulnerability
- Review and monitor user sessions for any suspicious activity
- Implement additional security measures, such as two-factor authentication
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-01T16:16:31.743Z and was last modified on 2026-07-13T15:29:34.090Z. The NVD entry is currently Analyzed. This information is based on the supplied source corpus and may not reflect the full scope of the vulnerability. Defenders should verify the affected scope and severity with the official CVE record and NVD entry. The Wikimedia Foundation OAuth session fixation vulnerability affects MediaWiki versions from * through 1.46.0, 1.45.4, 1.44.6, and 1.43.9, associated with program files src/Backend/MWOAuthServer.Php.
Official resources
-
CVE-2026-13707 CVE record
CVE.org
-
CVE-2026-13707 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
c4f26cc8-17ff-4c99-b5e2-38fc1793eacc - Permissions Required
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T16:16:31.743Z and has not been modified since then. The NVD entry is currently Analyzed.