Executive Summary

CVE-2026-25138 is a username enumeration vulnerability in the Rucio WebUI login endpoint present in versions prior to 39.3.1. The login interface returns different error messages depending on whether the submitted username exists or not. For example, submitting a non-existent username results in a message stating no account is associated with that identity, while submitting an existing username with a wrong password returns a different authentication token error. This difference in responses allows unauthenticated attackers to determine which usernames are valid.

This vulnerability is classified under CWE-204 (Observable Response Discrepancy), where varying responses reveal internal state information to unauthorized users.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability allows attackers to enumerate valid usernames on the Rucio WebUI login endpoint without authentication. This can facilitate targeted attacks such as password guessing, credential stuffing, or social engineering by providing attackers with a list of valid usernames.

The severity is rated as Moderate with a CVSS v3.1 base score of 5.3, indicating that the attack can be performed remotely with low complexity and no privileges or user interaction required, but it only has a low impact on confidentiality.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending login requests to the Rucio WebUI login endpoint (/ui/login) with different usernames and analyzing the error messages returned.'}, {'type': 'paragraph', 'content': 'For example, submitting a non-existent username will return a message indicating no account is associated with that identity, while submitting an existing username with an incorrect password will return a different authentication token error.'}, {'type': 'paragraph', 'content': 'A simple way to test this is by using curl commands to POST login attempts and observe the responses.'}, {'type': 'list_item', 'content': 'curl -X POST -d \'{"username":"nonexistentuser","password":"any"}\' https://<rucio-server>/ui/login -H \'Content-Type: application/json\''}, {'type': 'list_item', 'content': 'curl -X POST -d \'{"username":"existinguser","password":"wrongpassword"}\' https://<rucio-server>/ui/login -H \'Content-Type: application/json\''}, {'type': 'paragraph', 'content': 'By comparing the error messages from these requests, you can determine if the system is vulnerable to username enumeration.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading the Rucio WebUI to versions 35.8.3, 38.5.4, or 39.3.1 where the vulnerability is fixed.

If upgrading is not immediately possible, configure the login endpoint to return a generic authentication failure message for all login errors regardless of username validity to avoid disclosing account existence.

Additionally, implement rate limiting or login throttling to reduce the risk of abuse through automated username enumeration attempts.

Useful 0 Not Useful 0