Page MenuHomePhabricator
Create Task
Maniphest T418122

CVE-2026-39937: Global vanishing does not remove the user email completely
Closed, ResolvedPublicSecurity
Actions

Description

When looking into a question raised by User:Cabayi in my mailbox, I noticed global account vanishing only removes the user email address from the globaluser record, but not from the (many) individual user tables. For example:

[urbanecm@stat1008 ~]$ analytics-mysql centralauth
mysql:research@dbstore1008.eqiad.wmnet [centralauth]> select gu_name, gu_email from globaluser where gu_name='Renamed user 28145919bd97ab8be70d27c2e463c510';
+-----------------------------------------------+----------+
| gu_name                                       | gu_email |
+-----------------------------------------------+----------+
| Renamed user 28145919bd97ab8be70d27c2e463c510 |          |
+-----------------------------------------------+----------+
1 row in set (0.001 sec)

mysql:research@dbstore1008.eqiad.wmnet [centralauth]> ^DBye
[urbanecm@stat1008 ~]$ analytics-mysql jawiki
mysql:research@dbstore1009.eqiad.wmnet [jawiki]> select user_name, user_email from user where user_name='Renamed user 28145919bd97ab8be70d27c2e463c510';
+-----------------------------------------------+----------------------------+
| user_name                                     | user_email                 |
+-----------------------------------------------+----------------------------+
| Renamed user 28145919bd97ab8be70d27c2e463c510 | (REDACTED, CONTAINS USER EMAIL) |
+-----------------------------------------------+----------------------------+
1 row in set (0.001 sec)

mysql:research@dbstore1009.eqiad.wmnet [jawiki]>

This is potentially significant, because we indicate emails are no longer kept. Also, IIRC, the feature was internalized into MediaWiki to be able to meet account deletion defined by Google/Apple.

Details

Author Affiliation
Wikimedia Communities
Related Changes in Gerrit:
SubjectRepoBranchLines +/-
SECURITY: Forward 'type' option to LocalRenameUserJob for vanishesmediawiki/extensions/CentralAuthREL1_43+1 -0
SECURITY: Forward 'type' option to LocalRenameUserJob for vanishesmediawiki/extensions/CentralAuthREL1_44+8 -2
SECURITY: Forward 'type' option to LocalRenameUserJob for vanishesmediawiki/extensions/CentralAuthREL1_45+8 -2
SECURITY: Forward 'type' option to LocalRenameUserJob for vanishesmediawiki/extensions/CentralAuthmaster+8 -2
Customize query in gerrit

Related Objects

Event Timeline

Urbanecm created this task.Feb 23 2026, 12:07 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 23 2026, 12:08 PM
Urbanecm updated the task description. (Show Details)Feb 23 2026, 12:08 PM
Urbanecm added projects: Account-Vanishing, MediaWiki-extensions-CentralAuth, Product Safety and Integrity.
Restricted Application added a project: MediaWiki-Platform-Team. · View Herald TranscriptFeb 23 2026, 12:08 PM
Urbanecm added a project: Vuln-Infoleak.Feb 23 2026, 12:10 PM

Leaking only to shell holders, but..

This is the relevant piece of code from CentralAuth:

$data = [ 'gu_name' => $newname ];
if ( $type === GlobalRenameRequest::VANISH ) {
	// Vanish requests need to remove user's email
	$data[ 'gu_email' ] = '';
}
$dbw->newUpdateQueryBuilder()
	->update( 'globaluser' )
	->set( $data )
	->where( [ 'gu_name' => $oldname ] )
	->caller( __METHOD__ )
	->execute();
Dreamy_Jazz triaged this task as High priority.Feb 23 2026, 12:27 PM
taavi subscribed.Feb 23 2026, 1:35 PM

(Partial) dupe of T104500: Old versions of sensitive user data (email, password hashes) can remain in database indefinitely due to local and global DB not being kept in sync?

kostajh subscribed.EditedFeb 23 2026, 1:41 PM

GlobalRenameUser::getJob doesn't access $options['type'], so the default parameter in LocalRenameUserJob (used for vanishing as well) is GlobalRenameRequest::RENAME when it should be GlobalRenameRequest::VANISH. That should be sufficient to address this, because then we'll hit the code path that uses User::newSystemUser( $renamedUser->getName(), [ 'steal' => true ] );

kostajh claimed this task.Feb 23 2026, 1:43 PM
kostajh added a comment.Feb 23 2026, 1:52 PM

01-T418122.patch3 KBDownload

kostajh edited projects, added Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)), Essential-Work; removed Product Safety and Integrity.Feb 23 2026, 1:52 PM
kostajh moved this task from Backlog to Needs review on the Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)) board.
Dreamy_Jazz subscribed.Feb 23 2026, 2:25 PM
In T418122#11640588, @kostajh wrote:

01-T418122.patch3 KBDownload

LGTM, +2

Urbanecm added a comment.Feb 23 2026, 3:05 PM
In T418122#11640535, @kostajh wrote:

GlobalRenameUser::getJob doesn't access $options['type'], so the default parameter in LocalRenameUserJob (used for vanishing as well) is GlobalRenameRequest::RENAME when it should be GlobalRenameRequest::VANISH. That should be sufficient to address this, because then we'll hit the code path that uses User::newSystemUser( $renamedUser->getName(), [ 'steal' => true ] );

Note this has wider effects than email: It also scrubs gu_password and user_password, making the actions irreversible. FWIW, this came up in the context of https://meta.wikimedia.org/wiki/Talk:Account_vanishing#c-Cabayi-20260223143200-Reversal_/_Unvanishing, where the reversibility is being discussed. (No objections towards deploying that though, I just want to make sure those consequences are known/expected in general)

kostajh added a comment.Feb 23 2026, 3:50 PM
In T418122#11640803, @Urbanecm wrote:
In T418122#11640535, @kostajh wrote:

GlobalRenameUser::getJob doesn't access $options['type'], so the default parameter in LocalRenameUserJob (used for vanishing as well) is GlobalRenameRequest::RENAME when it should be GlobalRenameRequest::VANISH. That should be sufficient to address this, because then we'll hit the code path that uses User::newSystemUser( $renamedUser->getName(), [ 'steal' => true ] );

Note this has wider effects than email: It also scrubs gu_password and user_password, making the actions irreversible. FWIW, this came up in the context of https://meta.wikimedia.org/wiki/Talk:Account_vanishing#c-Cabayi-20260223143200-Reversal_/_Unvanishing, where the reversibility is being discussed. (No objections towards deploying that though, I just want to make sure those consequences are known/expected in general)

I think that's OK, since that was already happening on the central wiki?

matmarex moved this task from Inbox, needs triage to Radar on the MediaWiki-Platform-Team board.Feb 23 2026, 3:50 PM
matmarex edited projects, added MediaWiki-Platform-Team (Radar); removed MediaWiki-Platform-Team.
sbassett subscribed.Feb 23 2026, 4:20 PM

Are we still ok with the patch from T418122#11640588? It seems reasonable to me. If folks are still ok with this approach for now, we could likely get this deployed during today's security deployment window.

sbassett moved this task from Incoming to Security Patch To Deploy on the Security-Team board.Feb 23 2026, 5:27 PM
sbassett added a project: SecTeam-Processed.
sbassett added a project: Trust-and-Safety.Feb 23 2026, 5:31 PM
Tgr subscribed.Feb 23 2026, 6:11 PM

The local password tables are empty on CentralAuth wikis anyway. The first system-user-ification will scrub the password from globaluser; that seems like a good thing from a privacy / data removal rights perspective.

kostajh added a comment.Feb 23 2026, 10:11 PM
In T418122#11641296, @sbassett wrote:

Are we still ok with the patch from T418122#11640588? It seems reasonable to me. If folks are still ok with this approach for now, we could likely get this deployed during today's security deployment window.

Yes, I think we should do it.

sbassett added a comment.Feb 23 2026, 11:08 PM

Deployed to 1.46.0-wmf.16. Looks stable.

sbassett moved this task from Security Patch To Deploy to Watching on the Security-Team board.Feb 23 2026, 11:08 PM
sbassett mentioned this in T411394: Write and send supplementary release announcement for extensions and skins with security patches (1.43.7/1.44.4/1.45.2).
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)); removed Product Safety and Integrity (Sprint Flower (Feb 9 - Feb 27)).Mar 2 2026, 4:33 PM
OKryva-WMF moved this task from Backlog to Needs review on the Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)) board.Mar 2 2026, 4:35 PM
A09 subscribed.Mar 22 2026, 10:58 PM
Johannnes89 subscribed.Mar 23 2026, 7:27 AM
OKryva-WMF edited projects, added Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))); removed Product Safety and Integrity (Sprint Crocus (Mar 2 - Mar 20)).Mar 23 2026, 4:19 PM
OKryva-WMF moved this task from Backlog to Needs review on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
OKryva-WMF removed kostajh as the assignee of this task.Mar 24 2026, 1:01 PM
OKryva-WMF moved this task from Needs review to Ready on the Product Safety and Integrity (Sprint Forsythia (Mar 23 - Apr 10))) board.
matmarex mentioned this in T421525: Should vanishing an account remove its password and other login credentials?.Mar 27 2026, 5:48 PM
matmarex mentioned this in T420848: AccountVanishing is marking endusers as system users.
matmarex subscribed.Mar 27 2026, 5:53 PM

This change caused vanished accounts to be labelled as "system users" in the wiki interface, e.g. on Special:UserRights, which was filed as T420848: AccountVanishing is marking endusers as system users. I was quite confused what's happening until I found this task with its security patch.

A few people in that discussion pointed out that we had some ambiguous old decisions about *not* removing passwords from vanished users. I filed T421525: Should vanishing an account remove its password and other login credentials? with a sketch of the history, so that we can once again and finally decide what should happen.

Reedy added a subscriber: gerritbot.Apr 1 2026, 1:02 PM
Reedy subscribed.

Any objections for this patch to go through Gerrit?

sbassett added a comment.Apr 1 2026, 2:41 PM
In T418122#11777791, @Reedy wrote:

Any objections for this patch to go through Gerrit?

Not from me.

gerritbot added a comment.Apr 2 2026, 3:51 PM

Change #1267098 had a related patch set uploaded (by Reedy; author: Kosta Harlan):

[mediawiki/extensions/CentralAuth@master] SECURITY: Forward 'type' option to LocalRenameUserJob for vanishes

https://gerrit.wikimedia.org/r/1267098

gerritbot added a project: Patch-For-Review.Apr 2 2026, 3:51 PM
gerritbot added a comment.Apr 2 2026, 4:03 PM

Change #1267098 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@master] SECURITY: Forward 'type' option to LocalRenameUserJob for vanishes

https://gerrit.wikimedia.org/r/1267098

gerritbot added a comment.Apr 2 2026, 4:05 PM

Change #1267108 had a related patch set uploaded (by Reedy; author: Kosta Harlan):

[mediawiki/extensions/CentralAuth@REL1_45] SECURITY: Forward 'type' option to LocalRenameUserJob for vanishes

https://gerrit.wikimedia.org/r/1267108

gerritbot added a comment.Apr 2 2026, 4:07 PM

Change #1267110 had a related patch set uploaded (by Reedy; author: Kosta Harlan):

[mediawiki/extensions/CentralAuth@REL1_44] SECURITY: Forward 'type' option to LocalRenameUserJob for vanishes

https://gerrit.wikimedia.org/r/1267110

gerritbot added a comment.Apr 2 2026, 4:10 PM

Change #1267111 had a related patch set uploaded (by Reedy; author: Kosta Harlan):

[mediawiki/extensions/CentralAuth@REL1_43] SECURITY: Forward 'type' option to LocalRenameUserJob for vanishes

https://gerrit.wikimedia.org/r/1267111

gerritbot added a comment.Apr 2 2026, 4:25 PM

Change #1267108 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_45] SECURITY: Forward 'type' option to LocalRenameUserJob for vanishes

https://gerrit.wikimedia.org/r/1267108

gerritbot added a comment.Apr 2 2026, 4:26 PM

Change #1267110 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_44] SECURITY: Forward 'type' option to LocalRenameUserJob for vanishes

https://gerrit.wikimedia.org/r/1267110

gerritbot added a comment.Apr 2 2026, 4:41 PM

Change #1267111 merged by jenkins-bot:

[mediawiki/extensions/CentralAuth@REL1_43] SECURITY: Forward 'type' option to LocalRenameUserJob for vanishes

https://gerrit.wikimedia.org/r/1267111

Novem_Linguae subscribed.Apr 6 2026, 10:38 AM
Mstyles renamed this task from Global vanishing does not remove the user email completely to CVE-2026-39937: Global vanishing does not remove the user email completely.Apr 7 2026, 10:28 PM
Mstyles changed the visibility from "Custom Policy" to "Public (No Login Required)".
Mstyles changed the edit policy from "Custom Policy" to "All Users".
Restricted Application added a subscriber: Dragoniez. · View Herald TranscriptApr 7 2026, 10:28 PM
Maintenance_bot removed a project: Patch-For-Review.Apr 7 2026, 10:30 PM
Mstyles closed this task as Resolved.Apr 7 2026, 10:31 PM
Mstyles claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits