This vulnerability in Wikimedia Foundation's CheckUser extension (versions 1.45.0 up to but not including 1.45.2) results in the exposure of sensitive information to unauthorized actors. It is identified as CWE-200, which involves unintended disclosure of information. The CVSS 4.8 score indicates a network-based attack with low complexity and no privileges required, but user interaction is needed. The vulnerability does not involve integrity or availability impacts, focusing solely on confidentiality. No official patch or remediation guidance has been published by the vendor yet.

The vulnerability allows unauthorized actors to access sensitive information that should be restricted, potentially compromising user privacy or operational confidentiality within the CheckUser extension. However, the impact is limited to information exposure without affecting system integrity or availability. No known active exploitation has been reported.

Patch status is not yet confirmed — check the Wikimedia Foundation advisory for current remediation guidance. Until an official fix is released, limit access to CheckUser functionality to trusted administrators and monitor for unusual access patterns. Avoid exposing CheckUser interfaces to untrusted networks or users.