CVE-2024-0391 MEDIUM

CVE-2024-0391: Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

Vendor Wso2
Product WSO2 Identity Server
Weakness CWE-204
Published May 11, 2026
Last update May 11, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.

Key dates

02Disclosure timeline

May 11, 2026 CVE published
May 11, 2026 Record updated