CVE-2024-0391

MEDIUM

Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

Title source: cna

Description

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/

Scores

CVSS v3 5.3

EPSS 0.0018

EPSS Percentile 8.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-204

Status published

Products (22)

WSO2/Email OTP Authenticator 1.0.18 - 1.0.18.7

WSO2/Email OTP Authenticator 1.0.24

wso2/identity_server 5.10.0 - 5.10.0.379

wso2/identity_server_as_key_manager 5.10.0 - 5.10.267

wso2/open_banking_iam 2.0.0 - 2.0.0.318

WSO2/WSO2 Carbon Authenticator Library For EmailOTP 3.0.24 - 3.0.24.6

WSO2/WSO2 Carbon Authenticator Library For EmailOTP 3.0.26 - 3.0.26.16

WSO2/WSO2 Carbon Authenticator Library For EmailOTP 3.0.5 - 3.0.5.8

WSO2/WSO2 Carbon Authenticator Library For EmailOTP 4.1.0 - 4.1.0.8

WSO2/WSO2 Carbon Authenticator Library For EmailOTP 4.1.22

... and 12 more

Published May 11, 2026

Tracked Since May 11, 2026