CVE-2026-39937

HIGH

Global vanishing does not completely remove user email

Title source: cna

Description

Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

References (2)

https://phabricator.wikimedia.org/T418122

https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e

Scores

CVSS v4 8.8

EPSS 0.0006

EPSS Percentile 17.3%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L

Details

CWE

CWE-212

Status published

Products (7)

The Wikimedia Foundation/Mediawiki - CentralAuth Extension < 1.43

The Wikimedia Foundation/Mediawiki - CentralAuth Extension 1.43

The Wikimedia Foundation/Mediawiki - CentralAuth Extension 1.43.7

The Wikimedia Foundation/Mediawiki - CentralAuth Extension 1.44

The Wikimedia Foundation/Mediawiki - CentralAuth Extension 1.44.4

The Wikimedia Foundation/Mediawiki - CentralAuth Extension 1.45

The Wikimedia Foundation/Mediawiki - CentralAuth Extension 1.45.2

Published Apr 07, 2026

Tracked Since Apr 08, 2026