CVE-2024-0391
Received Received - Intake
Username Enumeration in Email OTP Authentication

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: WSO2 LLC

Description
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-11
AI Q&A
2026-05-11
EPSS Evaluated
N/A
NVD
CVE-2024-0391
EUVD
EUVD-2024-16187
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
wso2 identity_server 5.10.0
wso2 identity_server 5.11.0
wso2 identity_server 6.0.0
wso2 identity_server 6.1.0
wso2 identity_server 7.0.0
wso2 identity_server_as_key_manager 5.10.0
wso2 open_banking_iam 2.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-204 The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2024-0391 is a medium-severity vulnerability affecting multiple WSO2 products. It arises from a lack of validation in the email OTP (One-Time Password) flow, specifically in the feature that checks user account lock states. This flaw allows an attacker to perform username enumeration by determining which usernames are registered in the system.

By exploiting this vulnerability, an attacker can infer the existence of valid user accounts, which can then be used to increase the risk of brute-force attacks, social engineering, and information leakage.


How can this vulnerability impact me? :

The vulnerability can lead to several negative impacts including increased risk of brute-force attacks and social engineering attacks.

  • Attackers can discover valid usernames, which helps them craft targeted phishing campaigns.
  • This can result in users being tricked into divulging sensitive information.
  • The organization’s reputation may be damaged due to successful attacks.
  • There may be regulatory non-compliance issues and financial consequences as a result.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability can lead to regulatory non-compliance because it increases the risk of unauthorized access and data breaches.

By allowing attackers to enumerate valid usernames and potentially conduct phishing or social engineering attacks, sensitive personal data could be exposed or compromised, which violates data protection standards such as GDPR and HIPAA.

Failure to protect user information adequately may result in legal and financial consequences under these regulations.


What immediate steps should I take to mitigate this vulnerability?

To mitigate CVE-2024-0391, it is recommended to update the affected WSO2 products to the specified fixed versions.

  • Apply the fixes provided via the public GitHub pull request if you are a community user.
  • Subscription holders should update their products to the specified update levels.
  • If applying the fix is not feasible, migrate to the latest unaffected version of the respective WSO2 product.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart