Hi,
This shouldn't affect very many installations as CentralAuth is very
WMF-specific but letting everyone know that a fix for CentralAuth has just
been released.
It allowed user impersonation by a combination of the apioutput.js (used
for api.php output customization) and the central auth cookie.
The bug is:
https://phabricator.wikimedia.org/T144573
The gerrit change is:
https://gerrit.wikimedia.org/r/#/c/333316/
-Chad