CVE-2026-39937: CWE-212 Improper removal of sensitive information before storage or transfer in The Wikimedia Foundation Mediawiki - CentralAuth Extension
CVE-2026-39937 is a high-severity vulnerability in The Wikimedia Foundation's Mediawiki CentralAuth Extension involving improper removal of sensitive information before storage or transfer, leading to potential resource leak exposure. The issue affects multiple release branches including MediaWiki versions 1. 43, 1. 44, and 1. 45 and has been remediated on the master branch and these release branches. The vulnerability has a CVSS 4. 0 score of 8. 8, indicating a significant risk. There are no known exploits in the wild at this time. The vulnerability is not related to a cloud service, and no official remediation level or patch links are provided in the data, but the vendor states the issue is fixed in the specified branches.
AI Analysis
Technical Summary
This vulnerability, identified as CWE-212, concerns improper removal of sensitive information before storage or transfer within the Mediawiki CentralAuth Extension maintained by The Wikimedia Foundation. It can lead to resource leak exposure, potentially allowing unauthorized access to sensitive data. The vulnerability affects MediaWiki versions 1.43, 1.44, and 1.45 but has been addressed in the master branch and these release branches. The CVSS 4.0 vector indicates the vulnerability is remotely exploitable without privileges or user interaction, with high impact on confidentiality and low to limited impact on integrity and availability. No known exploits have been reported, and the vendor has remediated the issue in the relevant branches.
Potential Impact
The vulnerability allows sensitive information to be improperly retained or exposed due to insufficient removal before storage or transfer, which could lead to unauthorized disclosure of sensitive data. The CVSS score of 8.8 reflects a high impact on confidentiality with some impact on integrity and availability. There are no known active exploits in the wild, reducing immediate risk, but the potential for data leakage remains significant if unpatched.
Mitigation Recommendations
The vulnerability has been remediated by The Wikimedia Foundation in the master branch and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. Users should upgrade to these fixed versions to address the issue. Since the vendor advisory confirms remediation in these branches, applying the official updates is the recommended action. Patch status is confirmed by vendor advisory content indicating fixes are available in the specified branches.
CVE-2026-39937: CWE-212 Improper removal of sensitive information before storage or transfer in The Wikimedia Foundation Mediawiki - CentralAuth Extension
Description
CVE-2026-39937 is a high-severity vulnerability in The Wikimedia Foundation's Mediawiki CentralAuth Extension involving improper removal of sensitive information before storage or transfer, leading to potential resource leak exposure. The issue affects multiple release branches including MediaWiki versions 1. 43, 1. 44, and 1. 45 and has been remediated on the master branch and these release branches. The vulnerability has a CVSS 4. 0 score of 8. 8, indicating a significant risk. There are no known exploits in the wild at this time. The vulnerability is not related to a cloud service, and no official remediation level or patch links are provided in the data, but the vendor states the issue is fixed in the specified branches.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability, identified as CWE-212, concerns improper removal of sensitive information before storage or transfer within the Mediawiki CentralAuth Extension maintained by The Wikimedia Foundation. It can lead to resource leak exposure, potentially allowing unauthorized access to sensitive data. The vulnerability affects MediaWiki versions 1.43, 1.44, and 1.45 but has been addressed in the master branch and these release branches. The CVSS 4.0 vector indicates the vulnerability is remotely exploitable without privileges or user interaction, with high impact on confidentiality and low to limited impact on integrity and availability. No known exploits have been reported, and the vendor has remediated the issue in the relevant branches.
Potential Impact
The vulnerability allows sensitive information to be improperly retained or exposed due to insufficient removal before storage or transfer, which could lead to unauthorized disclosure of sensitive data. The CVSS score of 8.8 reflects a high impact on confidentiality with some impact on integrity and availability. There are no known active exploits in the wild, reducing immediate risk, but the potential for data leakage remains significant if unpatched.
Mitigation Recommendations
The vulnerability has been remediated by The Wikimedia Foundation in the master branch and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. Users should upgrade to these fixed versions to address the issue. Since the vendor advisory confirms remediation in these branches, applying the official updates is the recommended action. Patch status is confirmed by vendor advisory content indicating fixes are available in the specified branches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- wikimedia-foundation
- Date Reserved
- 2026-04-07T21:25:36.589Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d57b23aaed68159a6dfc21
Added to database: 4/7/2026, 9:46:11 PM
Last enriched: 4/15/2026, 12:35:56 PM
Last updated: 5/25/2026, 3:56:59 AM
Views: 78
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.