CVE-2026-13707
UnknownCVSS 0.0Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
Session fixation vulnerability in Wikimedia Foundation OAuth. Allows an attacker to fixate a session identifier on the victim, potentially leading to session hijacking.
Risk Assessment
The risk for the organization is the potential hijacking of user accounts via OAuth session fixation, which could lead to unauthorized access to data and operations in systems using this mechanism.
Recommendation
Immediately update the OAuth library to version 1.46.1 or later, and consider implementing session identifier regeneration after authentication.
Original NVD description (English source)
Session fixation vulnerability in Wikimedia Foundation OAuth. This vulnerability is associated with program files src/Backend/MWOAuthServer.Php. This issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9.

