HIGHCVE-2026-39937Published 2026-04-07Modified 2026-04-08CNA wikimedia-foundation

CVE-2026-39937: Global vanishing does not completely remove user email

Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.

CVSS v4.0: 8.8
Severity: HIGH
Fixed in: 1.43
Affected Products: 1

Fix available

1.431.441.45

Affected packages

The Wikimedia Foundation / Mediawiki - CentralAuth Extension
< 1.43 (from 0)
Fixed in 1.43, 1.44, 1.45

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L

References

phabricator.wikimedia.org
gerrit.wikimedia.org

Metrics

Fix available