PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-13707 Wikimedia Foundation CVE debrief

A session fixation vulnerability was found in the Wikimedia Foundation OAuth, affecting MediaWiki versions from * through 1.46.0, 1.45.4, 1.44.6, and 1.43.9. This issue is associated with program files src/Backend/MWOAuthServer.Php. The vulnerability allows an attacker to fixate a user's session, potentially leading to unauthorized access. Administrators and users of MediaWiki installations, particularly those using affected versions, should be aware of this vulnerability and take necessary actions to protect their systems. The CVE record was published on 2026-07-01T16:16:31.743Z and was last modified on 2026-07-13T15:29:34.090Z.

Vendor
Wikimedia Foundation
Product
OAuth
CVSS
NONE
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-01
Original CVE updated
2026-07-13
Advisory published
2026-07-01
Advisory updated
2026-07-13

Who should care

Administrators and users of MediaWiki installations, particularly those using affected versions, should be aware of this vulnerability and take necessary actions to protect their systems. This includes reviewing and monitoring user sessions, implementing additional security measures such as two-factor authentication, and ensuring that MediaWiki is updated to a version that is not affected by this vulnerability.

Technical summary

The session fixation vulnerability in Wikimedia Foundation OAuth allows an attacker to fixate a user's session, potentially leading to unauthorized access. This issue is associated with the MWOAuthServer.Php file and affects various MediaWiki versions from * through 1.46.0, 1.45.4, 1.44.6, and 1.43.9. The vulnerability can be mitigated by updating MediaWiki to a non-affected version and implementing additional security measures.

Defensive priority

High

Recommended defensive actions

  • Update MediaWiki to a version that is not affected by this vulnerability
  • Review and monitor user sessions for any suspicious activity
  • Implement additional security measures, such as two-factor authentication
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review

Evidence notes

The CVE record was published on 2026-07-01T16:16:31.743Z and was last modified on 2026-07-13T15:29:34.090Z. The NVD entry is currently Analyzed. This information is based on the supplied source corpus and may not reflect the full scope of the vulnerability. Defenders should verify the affected scope and severity with the official CVE record and NVD entry. The Wikimedia Foundation OAuth session fixation vulnerability affects MediaWiki versions from * through 1.46.0, 1.45.4, 1.44.6, and 1.43.9, associated with program files src/Backend/MWOAuthServer.Php.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-01T16:16:31.743Z and has not been modified since then. The NVD entry is currently Analyzed.