CVE-2026-25138
Rucio WebUI has Username Enumeration via Login Error Message
Description
### Summary The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. ### Details When submitting invalid credentials to `/ui/login`, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error. This behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content. ### Proof of Concept **Bogus Login (Non-existent Username "15251087")** Response contains: ``` Cannot get find any account associated with 15251087 identity. ``` **Bogus Login (Existing Username "root", Wrong Password)** Response contains: ``` Cannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root. ``` The difference in error messages confirms whether a username exists. ### Impact An unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks. ### Remediation / Mitigation Return a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse. #### Reources: - OWASP Authentication Cheat Sheet - Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages
How to fix CVE-2026-25138
To remediate CVE-2026-25138, upgrade the affected package to a fixed version below.
- —upgrade to 35.8.3 or later
Is CVE-2026-25138 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.