Hi,

This shouldn't affect very many installations as CentralAuth is very WMF-specific but letting everyone know that a fix for CentralAuth has just been released.

It allowed user impersonation by a combination of the apioutput.js (used for api.php output customization) and the central auth cookie.

The bug is: https://phabricator.wikimedia.org/T144573 The gerrit change is: https://gerrit.wikimedia.org/r/#/c/333316/

-Chad