Hi, I just wanted to quickly let you know that on Friday Lucie discovered that it's possible to use the wbmergeitems API without passing an edit token to it, also it was possible to use it via GET requests. Not requiring a token made that module vulnerable to CSRF attacks. We opened a security bug, fixed the problem and deployed a patch on Friday, thus the problem has been fixed on Wikidata.org. Anyone running their own Wikibase installations is advised to update to master or to cherry-pick https://gerrit.wikimedia.org/r/198736. Users of the wbmergeitems API should check whether they use POST for their requests and are sending a valid token. Cheers, Marius For further details, please see: https://phabricator.wikimedia.org/T93365