{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39937", "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "state": "PUBLISHED", "assignerShortName": "wikimedia-foundation", "dateReserved": "2026-04-07T21:25:36.589Z", "datePublished": "2026-04-07T21:44:46.515Z", "dateUpdated": "2026-04-08T21:58:19.900Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "shortName": "wikimedia-foundation", "dateUpdated": "2026-04-08T21:58:19.900Z"}, "title": "Global vanishing does not completely remove user email", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-212", "description": "CWE-212 Improper removal of sensitive information before storage or transfer", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "affected": [{"vendor": "The Wikimedia Foundation", "product": "Mediawiki - CentralAuth Extension", "versions": [{"status": "unaffected", "version": "1.43"}, {"status": "unaffected", "version": "1.44"}, {"status": "unaffected", "version": "1.45"}, {"status": "affected", "version": "0", "lessThan": "1.43", "versionType": "custom"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.\u00a0The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.&nbsp;<span>The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.</span><div><div></div></div>"}]}], "references": [{"url": "https://phabricator.wikimedia.org/T418122"}, {"url": "https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L"}}], "credits": [{"lang": "en", "value": "Urbanecm", "type": "finder"}, {"lang": "en", "value": "kostajh", "type": "remediation developer"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:22:57.694770Z", "id": "CVE-2026-39937", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:23:06.774Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:22:57.694770Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:23:00.975Z"}}], "cna": {"title": "Global vanishing does not completely remove user email", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Urbanecm"}, {"lang": "en", "type": "remediation developer", "value": "kostajh"}], "impacts": [{"capecId": "CAPEC-131", "descriptions": [{"lang": "en", "value": "CAPEC-131 Resource Leak Exposure"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "The Wikimedia Foundation", "product": "Mediawiki - CentralAuth Extension", "versions": [{"status": "unaffected", "version": "1.43"}, {"status": "unaffected", "version": "1.44"}, {"status": "unaffected", "version": "1.45"}, {"status": "affected", "version": "0", "lessThan": "1.43", "versionType": "custom"}], "defaultStatus": "affected"}], "references": [{"url": "https://phabricator.wikimedia.org/T418122"}, {"url": "https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e"}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.\u00a0The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.", "supportingMedia": [{"type": "text/html", "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.&nbsp;<span>The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45.</span><div><div></div></div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-212", "description": "CWE-212 Improper removal of sensitive information before storage or transfer"}]}], "providerMetadata": {"orgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "shortName": "wikimedia-foundation", "dateUpdated": "2026-04-08T21:58:19.900Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39937", "state": "PUBLISHED", "dateUpdated": "2026-04-08T21:58:19.900Z", "dateReserved": "2026-04-07T21:25:36.589Z", "assignerOrgId": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "datePublished": "2026-04-07T21:44:46.515Z", "assignerShortName": "wikimedia-foundation"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure.\u00a0The issue has been remediated on the `master` branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45."}], "id": "CVE-2026-39937", "lastModified": "2026-04-08T22:16:22.293", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "LOW", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}, "published": "2026-04-07T22:16:24.283", "references": [{"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "url": "https://gerrit.wikimedia.org/r/q/I0b72427fa329aee85841a2cb23dec3058edce85e"}, {"source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "url": "https://phabricator.wikimedia.org/T418122"}], "sourceIdentifier": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-212"}], "source": "c4f26cc8-17ff-4c99-b5e2-38fc1793eacc", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.43.7"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.44.4"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.45.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Mediawiki - CentralAuth Extension", "source": "cna", "vendor": "The Wikimedia Foundation"}, "product": "mediawiki_-_centralauth_extension", "vendor": "wikimedia"}], "analysis": {"en": {"generated_at": "2026-04-08T23:52:59.846021+00:00", "value": {"mitigation_remediation": ["Update MediaWiki to the latest patched release (1.45 or newer) that includes the CentralAuth fix.", "Verify that the CentralAuth extension is at the most recent revision from the master branch.", "If an upgrade is not immediately possible, disable or temporarily restrict the Global Vanish feature.", "Audit runtime logs and memory dumps for any residual email addresses after vanish operations.", "Monitor for unexpected email disclosures and apply additional filtering if necessary."], "summary": {"action": "Patch Immediately", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The flaw affects the Wikimedia Foundation\u2019s MediaWiki CentralAuth Extension. The issue has been addressed in the master branch and in the release branches for MediaWiki versions 1.43, 1.44, and 1.45. Users running those or earlier affected releases should ensure that the CentralAuth extension is updated to the patched state before the vulnerability can be triggered.", "description_and_impact": "The vulnerability arises from an improper removal of sensitive information before storage or transfer within the MediaWiki CentralAuth Extension, resulting in a resource leak exposure. Specifically, user email addresses are not fully purged during a global vanish operation, leaving them potentially recoverable from memory or logs. This flaw falls under CWE-212 and can lead to privacy compromise through unintended disclosure of email addresses.", "risk_and_exploitability": "A CVSS score of 8.8 classifies the vulnerability as high severity, whereas the EPSS score of less than 1\u202f% indicates a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector, inferred from the description, involves a user initiating a global vanish action that does not completely erase the email address from system memory or logs; the residual data may then become accessible to other users or logged systems. Exploitation would require that the CentralAuth extension process user email during a vanish operation, as described above."}}}}, "created": "2026-04-08T19:34:01.286072+00:00", "updated": "2026-04-09T08:28:39.943527+00:00", "vendors": ["wikimedia", "wikimedia$PRODUCT$mediawiki_-_centralauth_extension"]}