CVE-2026-25138
Username Enumeration in Rucio WebUI Login Endpoint
Publication date: 2026-02-25
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cern | rucio | to 35.8.3 (exc) |
| cern | rucio | From 36.0.0 (inc) to 38.5.4 (exc) |
| cern | rucio | From 39.0.0 (inc) to 39.3.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-204 | The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25138 is a username enumeration vulnerability in the Rucio WebUI login endpoint present in versions prior to 39.3.1. The login interface returns different error messages depending on whether the submitted username exists or not. For example, submitting a non-existent username results in a message stating no account is associated with that identity, while submitting an existing username with a wrong password returns a different authentication token error. This difference in responses allows unauthenticated attackers to determine which usernames are valid.
This vulnerability is classified under CWE-204 (Observable Response Discrepancy), where varying responses reveal internal state information to unauthorized users.
How can this vulnerability impact me? :
The vulnerability allows attackers to enumerate valid usernames on the Rucio WebUI login endpoint without authentication. This can facilitate targeted attacks such as password guessing, credential stuffing, or social engineering by providing attackers with a list of valid usernames.
The severity is rated as Moderate with a CVSS v3.1 base score of 5.3, indicating that the attack can be performed remotely with low complexity and no privileges or user interaction required, but it only has a low impact on confidentiality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending login requests to the Rucio WebUI login endpoint (/ui/login) with different usernames and analyzing the error messages returned.'}, {'type': 'paragraph', 'content': 'For example, submitting a non-existent username will return a message indicating no account is associated with that identity, while submitting an existing username with an incorrect password will return a different authentication token error.'}, {'type': 'paragraph', 'content': 'A simple way to test this is by using curl commands to POST login attempts and observe the responses.'}, {'type': 'list_item', 'content': 'curl -X POST -d \'{"username":"nonexistentuser","password":"any"}\' https://<rucio-server>/ui/login -H \'Content-Type: application/json\''}, {'type': 'list_item', 'content': 'curl -X POST -d \'{"username":"existinguser","password":"wrongpassword"}\' https://<rucio-server>/ui/login -H \'Content-Type: application/json\''}, {'type': 'paragraph', 'content': 'By comparing the error messages from these requests, you can determine if the system is vulnerable to username enumeration.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Rucio WebUI to versions 35.8.3, 38.5.4, or 39.3.1 where the vulnerability is fixed.
If upgrading is not immediately possible, configure the login endpoint to return a generic authentication failure message for all login errors regardless of username validity to avoid disclosing account existence.
Additionally, implement rate limiting or login throttling to reduce the risk of abuse through automated username enumeration attempts.