CVE-2024-0391
Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
| CWE | CWE-204 |
| Vendor | wso2 |
| Product | wso2 identity server |
| Published | May 11, 2026 |
| Last Updated | May 11, 2026 |
Stay Ahead of the Next One
Get instant alerts for wso2 wso2 identity server
Be the first to know when new medium vulnerabilities affecting wso2 wso2 identity server are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
WSO2 / WSO2 Identity Server
5.10.0 < 5.10.0.379 5.11.0 < 5.11.0.426 5.11.0 < 5.11.0.431 6.0.0 < 6.0.0.253 6.1.0 < 6.1.0.254 7.0.0 < 7.0.0.131
WSO2 / WSO2 Open Banking IAM
2.0.0 < 2.0.0.318
WSO2 / WSO2 Identity Server as Key Manager
5.10.0 < 5.10.0.267
WSO2 / Email OTP Authenticator
1.0.18 < 1.0.18.7
WSO2 / WSO2 Carbon Authenticator Library For EmailOTP
4.1.0 < 4.1.0.8 4.1.4 < 4.1.4.9
WSO2 / WSO2 Carbon Authenticator Library For EmailOTP
3.0.5 < 3.0.5.8 3.0.24 < 3.0.24.6 3.0.26 < 3.0.26.16