PatchSiren cyber security CVE debrief
CVE-2026-34093 Wikimedia Foundation CVE debrief
CVE-2026-34093 is a low-severity sensitive-information exposure issue in Wikimedia Foundation MediaWiki, tied to includes/Specials/SpecialUserRights.Php. According to the NVD record, the issue affects MediaWiki versions before 1.43.7, 1.44.4, and 1.45.2. The CVSS 4.0 vector indicates network exposure with low confidentiality impact and a user interaction requirement, so this is not described as a high-impact or remotely weaponized flaw in the supplied record.
- Vendor
- Wikimedia Foundation
- Product
- MediaWiki
- CVSS
- LOW 1.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-11
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-11
- Advisory updated
- 2026-05-18
Who should care
MediaWiki administrators, Wikimedia-style platform operators, and maintainers responsible for user-rights management or restricted administrative pages should care most. Prioritize review if your deployment is running a version older than 1.43.7, 1.44.4, or 1.45.2, or if access to SpecialUserRights is granted to privileged users.
Technical summary
The vulnerability is classified as CWE-200, Exposure of Sensitive Information to an Unauthorized Actor. The NVD data links the issue to SpecialUserRights.Php and lists vulnerable version ranges ending before 1.43.7, 1.44.4, and 1.45.2. The CVSS 4.0 vector shows AV:N/AC:L/PR:L/UI:A with VC:L and no integrity or availability impact, indicating a limited-information disclosure scenario that requires some privilege and user interaction.
Defensive priority
Medium for exposed or internet-facing MediaWiki deployments still on affected versions; lower urgency for fully patched systems. Because the impact is limited but the affected component is security-adjacent, upgrading and permission review should be treated as routine remediation rather than emergency incident response.
Recommended defensive actions
- Upgrade MediaWiki to 1.43.7, 1.44.4, or 1.45.2 or later, depending on your branch.
- Confirm fleet inventory for any deployments that fall into the affected version ranges listed by NVD.
- Review access controls and permissions around SpecialUserRights and related administrative workflows.
- Check the vendor reference in Phabricator issue T414547 for any deployment-specific guidance.
- Verify that no older MediaWiki instances remain in test, staging, or archived environments.
Evidence notes
This debrief is based only on the supplied NVD record and the linked Wikimedia Phabricator issue. The NVD metadata classifies the weakness as CWE-200 and lists vulnerable MediaWiki ranges ending before 1.43.7, 1.44.4, and 1.45.2. The reference set includes https://phabricator.wikimedia.org/T414547 marked as Issue Tracking, Vendor Advisory, and Permissions Required.
Official resources
-
CVE-2026-34093 CVE record
CVE.org
-
CVE-2026-34093 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
c4f26cc8-17ff-4c99-b5e2-38fc1793eacc - Issue Tracking, Vendor Advisory, Permissions Required
Publicly disclosed in the CVE/NVD record on 2026-05-11, with the NVD entry modified on 2026-05-18. The supplied reference set also points to the Wikimedia Phabricator issue T414547 as the vendor-linked advisory item.