{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39937", "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "state": "PUBLISHED", "assignerShortName": "wikimedia-foundation", "dateReserved": "2026-04-07T21:25:36.589Z", "datePublished": "2026-04-07T21:44:46.515Z", "dateUpdated": "2026-04-08T21:58:19.900Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "shortName": "wikimedia-foundation", "dateUpdated": "2026-04-08T21:58:19.900Z"}, "title": "Global vanishing does not completely remove user email", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-212", "description": "CWE-212 Improper removal of sensitive information before storage or transfer", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "affected": [{"vendor": "The Wikimedia Foundation", "product": "Mediawiki - CentralAuth Extension", "versions": [{"status": "unaffected", "version": "1.43"}, {"status": "unaffected", "version": "1.44"}, {"status": "unaffected", "version": "1.45"}, {"status": "affected", "version": "0", "lessThan": "1.43", "versionType": "custom"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.\u00a0The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.&nbsp;<span>The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.</span><div><div></div></div>"}]}], "references": [{"url": "https://phabricator.wikimedia.org/T418122"}, {"url": "https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L"}}], "credits": [{"lang": "en", "value": "Urbanecm", "type": "finder"}, {"lang": "en", "value": "kostajh", "type": "remediation developer"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:22:57.694770Z", "id": "CVE-2026-39937", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:23:06.774Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:22:57.694770Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:23:00.975Z"}}], "cna": {"title": "Global vanishing does not completely remove user email", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Urbanecm"}, {"lang": "en", "type": "remediation developer", "value": "kostajh"}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The Wikimedia Foundation", "product": "Mediawiki - CentralAuth Extension", "versions": [{"status": "unaffected", "version": "1.43"}, {"status": "unaffected", "version": "1.44"}, {"status": "unaffected", "version": "1.45"}, {"status": "affected", "version": "0", "lessThan": "1.43", "versionType": "custom"}], "defaultStatus": "affected"}], "references": [{"url": "https://phabricator.wikimedia.org/T418122"}, {"url": "https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.\u00a0The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.", "supportingMedia": [{"type": "text/html", "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.&nbsp;<span>The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.</span><div><div></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-212", "description": "CWE-212 Improper removal of sensitive information before storage or transfer"}]}], "providerMetadata": {"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "shortName": "wikimedia-foundation", "dateUpdated": "2026-04-08T21:58:19.900Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39937", "state": "PUBLISHED", "dateUpdated": "2026-04-08T21:58:19.900Z", "dateReserved": "2026-04-07T21:25:36.589Z", "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "datePublished": "2026-04-07T21:44:46.515Z", "assignerShortName": "wikimedia-foundation"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.\u00a0The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45."}], "id": "CVE-2026-39937", "lastModified": "2026-04-08T22:16:22.293", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}, "published": "2026-04-07T22:16:24.283", "references": [{"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "url": "https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e"}, {"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "url": "https://phabricator.wikimedia.org/T418122"}], "sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-212"}], "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.43.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.44.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.45.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Mediawiki - CentralAuth Extension", "source": "cna", "vendor": "The Wikimedia Foundation"}, "product": "mediawiki_-_centralauth_extension", "vendor": "wikimedia"}], "analysis": {"en": {"generated_at": "2026-04-07T23:46:06.956897+00:00", "value": {"mitigation_remediation": ["Check the Wikimedia Foundation\u2019s official communications or website for a patch or update addressing the CentralAuth Extension issue", "If a security patch is available, apply it immediately to all affected installations", "Until a patch is released, restrict administrative privileges that allow execution of global vanishing to trusted users only", "Audit existing data and logs to identify any residual user email addresses and remove them manually", "Avoid deploying or operating non\u2011release branches of MediaWiki until the vulnerability is fixed", "Monitor for future advisories or updates related to this vulnerability"], "summary": {"action": "Immediate Patch", "impact": "Residual Email Exposure"}, "threat_synthesis": {"affected_systems": "The flaw affects the CentralAuth Extension of MediaWiki maintained by the Wikimedia Foundation. It is present in all non\u2011release branches, meaning any development or experimental branches that have not yet been officially released. Users running the CentralAuth Extension on these branches are at risk.", "description_and_impact": "Improper handling of sensitive information in the MediaWiki CentralAuth Extension results in a resource leak where user email addresses are not fully cleared during a global vanishing operation. The flaw exposes potentially confidential data that should have been removed, thereby compromising the confidentiality of user accounts. The vulnerability is classified under CWE\u2011212, indicating a failure to remove sensitive data before storage or transfer.", "risk_and_exploitability": "The CVSS score of 8.8 signals a high severity vulnerability. EPSS data is not available, but the lack of a known exploit in the KEV catalog suggests that exploitation has not yet been observed in the wild. The likely attack path is indirect; an attacker would need access to the administrative functionality that performs global vanishing or must have access to logs and stored data where the residual emails may appear. This inference is based on the described improper deletion of sensitive data before storage or transfer, and the requirement for privileged actions to trigger such operations."}}}}, "created": "2026-04-08T19:34:01.286072+00:00", "updated": "2026-04-08T19:45:25.934991+00:00", "vendors": ["wikimedia", "wikimedia$PRODUCT$mediawiki_-_centralauth_extension"]}