CVE-2026-58517
Awaiting Analysis Awaiting Analysis - Queue

Authentication Bypass in MediaWiki WikiLambda Extension

Vulnerability report for CVE-2026-58517, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: wikimedia-foundation

Description

Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass. This issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-02
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wikimedia mediawiki_wikilambda_extension From 1.43.0 (inc) to 1.43.9 (exc)
wikimedia mediawiki_wikilambda_extension to 1.44.6 (exc)
wikimedia mediawiki_wikilambda_extension to 1.45.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58517 is a security vulnerability in the WikiLambda extension for MediaWiki that allows blocked users to bypass restrictions and create or edit WikiLambda objects despite being blocked.

The issue arises because the block check in the code fails to properly detect blocked users for certain actions, specifically the 'createpage' action and API endpoints related to WikiLambda editing. The logic in AbstractBlock returns null for these actions, and the API endpoints rely only on permission checks that do not enforce block restrictions.

As a result, blocked users can circumvent the intended block and perform actions they should be prevented from doing.

Impact Analysis

This vulnerability can impact you by allowing users who have been blocked from editing or creating content in the WikiLambda extension to bypass those blocks and continue to create or edit WikiLambda objects.

This can lead to unauthorized changes, potential misinformation, or abuse of the system by users who should not have editing privileges.

Detection Guidance

This vulnerability can be detected by testing whether blocked users are able to create or edit WikiLambda objects despite being blocked. Specifically, attempts to perform the 'createpage' action or use the API endpoint with action=wikilambda_edit by blocked users should be monitored.

A practical detection method involves simulating or monitoring API calls to the WikiLambda extension endpoints to verify if blocked users are improperly allowed to create or edit objects.

No specific commands are provided in the available resources, but network monitoring tools or API request logs can be used to identify unauthorized create or edit actions by blocked users.

Mitigation Strategies

The immediate mitigation step is to apply the patch that was proposed and merged to fix the issue by manually checking user blocks in the ZObjectAuthorization class.

Ensure your WikiLambda extension is updated to a version that includes this fix, such as versions after 1.43.9, 1.44.6, or 1.45.4, or the patched master and REL1_46 branches.

Until the patch is applied, monitor and restrict API access to the WikiLambda editing endpoints for blocked users as a temporary workaround.

Compliance Impact

The vulnerability allows blocked users to bypass restrictions and create or edit WikiLambda objects despite being blocked. This authentication bypass could potentially lead to unauthorized access or modification of data.

Such unauthorized access or modification may impact compliance with standards and regulations like GDPR or HIPAA, which require strict access controls and protection of sensitive data. However, the provided information does not explicitly state the direct effects on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58517. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart