CVE-2024-0391
Analyzed Analyzed - Analysis Complete
Username Enumeration in Email OTP Authentication

Publication date: 2026-05-11

Last updated on: 2026-05-27

Assigner: WSO2 LLC

Description
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-27
Generated
2026-06-20
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2024-0391
EUVD
EUVD-2024-16187
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
wso2 identity_server From 5.10.0 (inc) to 5.10.0.379 (exc)
wso2 identity_server From 5.11.0 (inc) to 5.11.0.426 (exc)
wso2 identity_server From 6.0.0 (inc) to 6.0.0.253 (exc)
wso2 identity_server From 6.1.0 (inc) to 6.1.0.254 (exc)
wso2 identity_server From 7.0.0 (inc) to 7.0.0.131 (exc)
wso2 identity_server_as_key_manager From 5.10.0 (inc) to 5.10.267 (exc)
wso2 open_banking_iam From 2.0.0 (inc) to 2.0.0.318 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2024-0391 is a medium-severity vulnerability affecting multiple WSO2 products. It arises from a lack of validation in the email OTP (One-Time Password) flow, specifically in the feature that checks user account lock states. This flaw allows an attacker to perform username enumeration by determining which usernames are registered in the system.

By exploiting this vulnerability, an attacker can infer the existence of valid user accounts, which can then be used to increase the risk of brute-force attacks, social engineering, and information leakage.

Impact Analysis

The vulnerability can lead to several negative impacts including increased risk of brute-force attacks and social engineering attacks.

  • Attackers can discover valid usernames, which helps them craft targeted phishing campaigns.
  • This can result in users being tricked into divulging sensitive information.
  • The organization’s reputation may be damaged due to successful attacks.
  • There may be regulatory non-compliance issues and financial consequences as a result.
Compliance Impact

This vulnerability can lead to regulatory non-compliance because it increases the risk of unauthorized access and data breaches.

By allowing attackers to enumerate valid usernames and potentially conduct phishing or social engineering attacks, sensitive personal data could be exposed or compromised, which violates data protection standards such as GDPR and HIPAA.

Failure to protect user information adequately may result in legal and financial consequences under these regulations.

Mitigation Strategies

To mitigate CVE-2024-0391, it is recommended to update the affected WSO2 products to the specified fixed versions.

  • Apply the fixes provided via the public GitHub pull request if you are a community user.
  • Subscription holders should update their products to the specified update levels.
  • If applying the fix is not feasible, migrate to the latest unaffected version of the respective WSO2 product.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-0391. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart