CVE-2025-1396 LOW

CVE-2025-1396: Username Enumeration in Multiple WSO2 Products with Multi-Attribute Login Enabled

Vendor Wso2
Product WSO2 Identity Server
Weakness CWE-203
Published September 26, 2025
Last update September 30, 2025

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based on observable discrepancies in the application's responses. Exploitation of this vulnerability could aid in brute-force attacks, targeted phishing campaigns, or other social engineering techniques by confirming the validity of user identifiers within the system.

Key dates

02Disclosure timeline

September 26, 2025 CVE published
September 30, 2025 Record updated