GHSA-38WQ-6Q2W-HCF9

Vulnerability from github – Published: 2026-02-25 18:53 – Updated: 2026-02-25 18:53
VLAI?
Summary
Rucio WebUI has Username Enumeration via Login Error Message
Details

Summary

The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.

Details

When submitting invalid credentials to /ui/login, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.

This behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.

Proof of Concept

Bogus Login (Non-existent Username "15251087")
Response contains:

Cannot get find any account associated with 15251087 identity.

Bogus Login (Existing Username "root", Wrong Password)
Response contains:

Cannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.

The difference in error messages confirms whether a username exists.

Impact

An unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.

Remediation / Mitigation

Return a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.

Reources:

  • OWASP Authentication Cheat Sheet - Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "35.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "36.0.0rc1"
            },
            {
              "fixed": "38.5.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "rucio-webui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "39.0.0rc1"
            },
            {
              "fixed": "39.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25138"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-204"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-25T18:53:42Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.\n\n### Details\nWhen submitting invalid credentials to `/ui/login`, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.\n\nThis behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.\n\n### Proof of Concept\n**Bogus Login (Non-existent Username \"15251087\")**  \nResponse contains:\n```\nCannot get find any account associated with 15251087 identity.\n```\n\n**Bogus Login (Existing Username \"root\", Wrong Password)**  \nResponse contains:\n```\nCannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.\n```\n\nThe difference in error messages confirms whether a username exists.\n\n### Impact\nAn unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.\n\n### Remediation / Mitigation\nReturn a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.\n\n#### Reources:\n- OWASP Authentication Cheat Sheet -  Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages",
  "id": "GHSA-38wq-6q2w-hcf9",
  "modified": "2026-02-25T18:53:42Z",
  "published": "2026-02-25T18:53:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9"
    },
    {
      "type": "WEB",
      "url": "https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rucio/rucio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/35.8.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/38.5.4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rucio/rucio/releases/tag/39.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Rucio WebUI has Username Enumeration via Login Error Message"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.