CVE-2025-14243
Username Enumeration Vulnerability in OpenShift Mirror Registry Authentication
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | mirror_registry_for_red_hat_openshift | * |
| redhat | mirror_registry_for_red_hat_openshift | 2.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-209 | The product generates an error message that includes sensitive information about its environment, users, or associated data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can impact you by exposing valid usernames and email addresses to attackers without requiring authentication. Such information disclosure can facilitate further attacks like phishing, social engineering, or brute force attempts against known accounts.
Can you explain this vulnerability to me?
CVE-2025-14243 is a medium severity vulnerability in the OpenShift Mirror Registry that allows an unauthenticated remote attacker to enumerate valid usernames and email addresses. This is possible because the system returns different error messages during authentication failures and account creation, which can be analyzed to determine which usernames exist.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses by analyzing different error messages during authentication failures and account creation.
This kind of user enumeration can lead to unauthorized disclosure of personally identifiable information (PII), such as usernames and email addresses.
Such unauthorized disclosure may impact compliance with data protection regulations like GDPR and HIPAA, which require protection of personal data and prevention of unauthorized access or disclosure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to authenticate with various usernames and observing the differences in error messages returned by the OpenShift Mirror Registry. An attacker can enumerate valid usernames by analyzing these error responses during login attempts.
Specific commands are not provided in the available resources, but a common approach would be to use automated scripts or tools to send authentication requests with different usernames and analyze the error messages for discrepancies that indicate valid accounts.
What immediate steps should I take to mitigate this vulnerability?
No specific mitigation steps or fixed versions are provided in the available resources. Immediate steps would generally include monitoring authentication logs for suspicious enumeration attempts and restricting access to the OpenShift Mirror Registry to trusted users or networks where possible.
Additionally, consider implementing generic error messages for authentication failures to avoid leaking information about valid usernames or email addresses.