CVE-2026-0817
📋 TL;DR
A missing authorization vulnerability in MediaWiki's CampaignEvents extension allows authenticated users to perform privileged actions without proper permission checks. This affects MediaWiki installations with the CampaignEvents extension enabled, specifically versions 1.39 through 1.45. Attackers could abuse campaign event management functions they shouldn't have access to.
💻 Affected Systems
- MediaWiki CampaignEvents extension
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated users could manipulate campaign events, modify event data, delete events, or potentially escalate privileges within the CampaignEvents system, disrupting event management functionality.
Likely Case
Authenticated users with limited permissions could perform unauthorized campaign event modifications, potentially altering event details, schedules, or participant lists they shouldn't have access to.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized campaign event modifications by authenticated users, which can be detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated access to the MediaWiki instance. Attackers need to understand the CampaignEvents API/interface to abuse the missing authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check MediaWiki updates for CampaignEvents extension fixes
Vendor Advisory: https://phabricator.wikimedia.org/T410560
Restart Required: No
Instructions:
1. Update MediaWiki to latest version
2. Update CampaignEvents extension to patched version
3. Verify authorization checks are properly implemented
4. Review user permissions and audit logs
🔧 Temporary Workarounds
Disable CampaignEvents Extension
allTemporarily disable the vulnerable CampaignEvents extension if not critically needed
Edit LocalSettings.php and remove or comment out wfLoadExtension('CampaignEvents')
Restrict User Permissions
allTighten user permissions and implement additional access controls for campaign event management
Review and adjust user group permissions in MediaWiki
🧯 If You Can't Patch
- Implement strict access controls and monitor all campaign event modifications
- Enable detailed logging for CampaignEvents actions and set up alerts for unauthorized changes
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and CampaignEvents extension version. If using affected versions (1.39-1.45) with CampaignEvents enabled, system is vulnerable.Check Version:
Check MediaWiki version in Special:Version page or via $wgVersion in configurationVerify Fix Applied:
Verify MediaWiki and CampaignEvents extension are updated beyond affected versions. Test authorization checks for campaign event management functions.📡 Detection & Monitoring
Log Indicators:
- Unauthorized campaign event modifications
- Users performing campaign actions outside their permission level
- Unexpected campaign event creation/deletion
Network Indicators:
- Unusual patterns in campaign event API calls
- Multiple campaign modifications from single user in short time
SIEM Query:
source="mediawiki" AND (event="campaign_event" OR event="campaign") AND user_permission_level="low" AND action IN ("create","modify","delete")