CVE Catalog

CVE-2026-13707

UnknownCVSS 0.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

Session fixation vulnerability in Wikimedia Foundation OAuth. Allows an attacker to fixate a session identifier on the victim, potentially leading to session hijacking.

Risk Assessment

The risk for the organization is the potential hijacking of user accounts via OAuth session fixation, which could lead to unauthorized access to data and operations in systems using this mechanism.

Recommendation

Immediately update the OAuth library to version 1.46.1 or later, and consider implementing session identifier regeneration after authentication.

Original NVD description (English source)

Session fixation vulnerability in Wikimedia Foundation OAuth. This vulnerability is associated with program files src/Backend/MWOAuthServer.Php. This issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS