Debian LTS MediaWiki DLA-4640-1 Access Control Bypass Issues
debian lts
June 21, 2026
Multiple security vulnerabilities were found in mediawiki, a website engine for collaborative work, which could lead to information disclosure or access controls bypass
Summary
CVE-2026-34087
OATHAuth extension: Users API leaks whether privileged users have
their user groups disabled for lack of 2FA.
CVE-2026-34088
RecentChanges entries expose suppressed content via generated log
page HTML.
CVE-2026-34093
Special:UserRights page allows viewing user rights from private
wiki.
CVE-2026-34095
action=raw with Special:Mypage subpage title responds with
"Content-Type: text/html" on ctype=text/javascript request, which
may lead to cross-site scripting.
For Debian 11 bullseye, these problems have been fixed in version
1:1.35.13-1+deb11u7.
For Debian 12 bookworm, these problems have been fixed in version
$bookworm_VERSION.
We recommend that you upgrade your mediawiki packages.
For the detailed security status of mediawiki please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/mediawiki
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
PREVIOUS 
NEXT 
Severity
important
Lowest
Low
Medium
High
Critical
Package: mediawiki
Version: 1:1.35.13-1+deb11u7 $bookworm_VERSION
CVE ID: CVE-2026-34087 CVE-2026-34088 CVE-2026-34093 CVE-2026-34095
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!