Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Rucio WebUI Exposes Valid Usernames
GHSA-38wq-6q2w-hcf9
CVE-2026-25138
Summary
An attacker can see if a username exists or not, which can help them guess passwords or try to trick users. To fix this, the login system should give the same error message for all login attempts, so it doesn't reveal if a username is valid or not. This will make it harder for attackers to guess valid usernames or try to phish users.
What to do
- Update rucio-webui to version 35.8.3.
- Update rucio-webui to version 38.5.4.
- Update rucio-webui to version 39.3.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | rucio-webui | <= 35.8.3 | 35.8.3 |
| – | rucio-webui | > 36.0.0rc1 , <= 38.5.4 | 38.5.4 |
| – | rucio-webui | > 39.0.0rc1 , <= 39.3.1 | 39.3.1 |
| cern | rucio | <= 35.8.3 | – |
| cern | rucio | > 36.0.0 , <= 38.5.4 | – |
| cern | rucio | > 39.0.0 , <= 39.3.1 | – |
Original title
Rucio WebUI has Username Enumeration via Login Error Message
Original description
### Summary
The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.
### Details
When submitting invalid credentials to `/ui/login`, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.
This behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.
### Proof of Concept
**Bogus Login (Non-existent Username "15251087")**
Response contains:
```
Cannot get find any account associated with 15251087 identity.
```
**Bogus Login (Existing Username "root", Wrong Password)**
Response contains:
```
Cannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.
```
The difference in error messages confirms whether a username exists.
### Impact
An unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.
### Remediation / Mitigation
Return a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.
#### Reources:
- OWASP Authentication Cheat Sheet - Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages
The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.
### Details
When submitting invalid credentials to `/ui/login`, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.
This behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.
### Proof of Concept
**Bogus Login (Non-existent Username "15251087")**
Response contains:
```
Cannot get find any account associated with 15251087 identity.
```
**Bogus Login (Existing Username "root", Wrong Password)**
Response contains:
```
Cannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.
```
The difference in error messages confirms whether a username exists.
### Impact
An unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.
### Remediation / Mitigation
Return a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.
#### Reources:
- OWASP Authentication Cheat Sheet - Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages
ghsa CVSS3.1
5.3
Vulnerability type
CWE-204
- https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9
- https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#a...
- https://github.com/rucio/rucio/releases/tag/35.8.3
- https://github.com/rucio/rucio/releases/tag/38.5.4
- https://github.com/rucio/rucio/releases/tag/39.3.1
- https://nvd.nist.gov/vuln/detail/CVE-2026-25138
- https://github.com/advisories/GHSA-38wq-6q2w-hcf9
Published: 25 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026