GCVE-1-2026-0012
Vulnerability from gna-1 – Published: 2026-02-04 19:21 – Updated: 2026-02-04 19:21
VLAI?
Title
Authentication Error Message Allows Email Address Enumeration
Summary
A user enumeration vulnerability was identified in the authentication logic of the application. When an invalid login was supplied, the system performed an additional check to determine whether the input matched an existing email address and returned a specific error message if so. This behavior allowed unauthenticated attackers to infer whether a given email address was registered, enabling email address enumeration. The issue has been mitigated by removing the email-based check and returning a generic authentication failure message.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| vulnerability-lookup | vulnerability-lookup |
Affected:
≤ 3.0
|
Credits
nyanbinary <@nyanbinary@infosec.exchange>
Cedric Bonhomme
Relationships ?
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "vulnerability-lookup",
"vendor": "vulnerability-lookup",
"versions": [
{
"lessThanOrEqual": "3.0",
"status": "affected"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "nyanbinary \u003c@nyanbinary@infosec.exchange\u003e"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Cedric Bonhomme"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A user enumeration vulnerability was identified in the authentication logic of the application. When an invalid login was supplied, the system performed an additional check to determine whether the input matched an existing email address and returned a specific error message if so. This behavior allowed unauthenticated attackers to infer whether a given email address was registered, enabling email address enumeration. The issue has been mitigated by removing the email-based check and returning a generic authentication failure message."
}
],
"value": "A user enumeration vulnerability was identified in the authentication logic of the application. When an invalid login was supplied, the system performed an additional check to determine whether the input matched an existing email address and returned a specific error message if so. This behavior allowed unauthenticated attackers to infer whether a given email address was registered, enabling email address enumeration. The issue has been mitigated by removing the email-based check and returning a generic authentication failure message."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NEGLIGIBLE",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.1,
"baseSeverity": "LOW",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/S:N/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"orgId": "00000000-0000-4000-9000-000000000000"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/vulnerability-lookup/vulnerability-lookup/commit/ce2d6e7412f01219f117361472e1ef0ce783bc17"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Authentication Error Message Allows Email Address Enumeration",
"x_gcve": [
{
"recordType": "advisory",
"vulnId": "gcve-1-2026-0012"
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "00000000-0000-4000-9000-000000000000",
"datePublished": "2026-02-04T19:21:34.411344Z",
"dateUpdated": "2026-02-04T19:21:34.411344Z",
"requesterUserId": "00000000-0000-4000-9000-000000000000",
"serial": 1,
"state": "PUBLISHED",
"vulnId": "gcve-1-2026-0012",
"vulnerabilitylookup_history": [
[
"alexandre.dulaunoy@circl.lu",
"2026-02-04T19:21:34.411344Z"
]
]
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…