<Vulnerability name="CVE-2026-58517">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Critical</ThreatSeverity>
    <PublicDate>2026-07-01T18:23:02</PublicDate>
    <Bugzilla id="2496133" url="https://bugzilla.redhat.com/show_bug.cgi?id=2496133" xml:lang="en:us">
wikilambda: WikiLambda Extension: Authentication bypass due to improper input neutralization
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>9.1</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-140</CWE>
    <Details xml:lang="en:us" source="Mitre">
Improper neutralization of input terminators vulnerability in The Wikimedia Foundation Mediawiki - WikiLambda Extension allows Authentication Bypass.

This issue affects Mediawiki - WikiLambda Extension: from * before 1.43.9,1.44.6,1.45.4.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in The Wikimedia Foundation Mediawiki - WikiLambda Extension. This vulnerability, caused by improper neutralization of input terminators, allows an attacker to bypass authentication. This could lead to unauthorized access to the system.
    </Details>
    <Statement xml:lang="en:us">
This Critical flaw in the Mediawiki WikiLambda Extension allows an unauthenticated attacker to bypass authentication mechanisms due to improper input neutralization. This could lead to unauthorized access to systems where the WikiLambda Extension is deployed and enabled, posing a significant risk to data integrity and confidentiality.
    </Statement>
    <Mitigation xml:lang="en:us">
To mitigate this vulnerability, disable the MediaWiki WikiLambda Extension if it is not required for your deployment. This can typically be achieved by commenting out or removing the extension's entry in the LocalSettings.php configuration file. Restricting network access to the MediaWiki instance to trusted networks or users can also reduce exposure. Disabling the extension will affect any functionality dependent on WikiLambda.
    </Mitigation>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-58517
https://nvd.nist.gov/vuln/detail/CVE-2026-58517
https://gerrit.wikimedia.org/r/c/1305376
https://phabricator.wikimedia.org/T428833
    </References>
</Vulnerability>