CVE-2026-25138

MEDIUM

Rucio <35.8.3/<38.5.4/<39.3.1 - Info Disclosure

Title source: llm

Description

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

References (5)

[Vendor Advisory] https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9

[Various Sources] https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages

[Release Notes] https://github.com/rucio/rucio/releases/tag/35.8.3

[Release Notes] https://github.com/rucio/rucio/releases/tag/38.5.4

[Release Notes] https://github.com/rucio/rucio/releases/tag/39.3.1

Scores

CVSS v3 5.3

EPSS 0.0007

EPSS Percentile 22.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-204

Status published

Products (2)

cern/rucio < 35.8.3

pypi/rucio-webui 0 - 35.8.3PyPI

Published Feb 25, 2026

Tracked Since Feb 26, 2026