VYPR
← All advisories
Low severityNVD Advisory· Published Sep 26, 2025· Updated Sep 30, 2025

Username Enumeration in Multiple WSO2 Products with Multi-Attribute Login Enabled

CVE-2025-1396

Description

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based on observable discrepancies in the application's responses.

Exploitation of this vulnerability could aid in brute-force attacks, targeted phishing campaigns, or other social engineering techniques by confirming the validity of user identifiers within the system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A username enumeration flaw in WSO2's Multi-Attribute Login lets attackers confirm valid usernames, aiding brute-force and phishing attacks.

Vulnerability

Overview

CVE-2025-1396 is a username enumeration vulnerability in multiple WSO2 products when Multi-Attribute Login is enabled. The system returns a distinct 'User does not exist' error message directly to the login form, regardless of the validate_username configuration setting. This behavior creates an observable discrepancy in the application's responses that can be used to determine if a given username exists in the system [1][4].

Attack

Scenario

An attacker can exploit this vulnerability by submitting login requests to the affected application with varying usernames. When Multi-Attribute Login is active, the error message differs for existing versus non-existing users, enabling the attacker to build a list of valid user identifiers. No authentication is required, and the attack can be performed remotely over the network, though the CVSS 3.1 score of 3.7 (Low) reflects that the attack complexity is high [1][4].

Impact

With a confirmed list of valid usernames, an attacker can more effectively conduct brute-force password attacks, targeted phishing campaigns, or other social engineering techniques. This information leakage increases the overall risk to the deployment, as it removes the uncertainty about which user identifiers exist on the system [1][4].

Mitigation

WSO2 has issued a fix in the carbon-identity-framework repository and recommends that customers migrate to the latest version of their respective WSO2 products or apply the specified U2 update levels: for WSO2 Identity Server 5.10.0 update level 346, 5.11.0 update level 395, 6.0.0 update level 231, and 6.1.0 update level 223; for WSO2 Open Banking IAM 2.0.0 update level 390; and for WSO2 Identity Server as Key Manager 5.10.0 update level 339 [2][4].

References
  1. NVD - CVE-2025-1396
  2. Skip username validation for shared users. · wso2/carbon-identity-framework@5d5d592
  3. Security Advisory WSO2-2025-3983/CVE-2025-1396

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.wso2.carbon.identity.framework:org.wso2.carbon.identity.input.validation.mgtMaven
<= 7.8.103

Affected products

3
  • WSO2/WSO2 Identity Serverv5
    Range: 5.10.0
  • WSO2/WSO2 Identity Server as Key Managerv5
    Range: 5.10.0
  • WSO2/WSO2 Open Banking IAMv5
    Range: 2.0.0

Patches

1
5d5d592882a0

Skip username validation for shared users.

https://github.com/wso2/carbon-identity-frameworkYasasr1Sep 2, 2025via ghsa
commit
3 files changed · +48 1
  • components/input-validation-mgt/org.wso2.carbon.identity.input.validation.mgt/pom.xml+15 1 modified
    @@ -83,6 +83,14 @@
             <groupId>org.wso2.carbon.identity.framework</groupId>
             <artifactId>org.wso2.carbon.identity.claim.metadata.mgt</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
+            <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.organization.management</groupId>
+            <artifactId>org.wso2.carbon.identity.organization.management.organization.user.sharing</artifactId>
+        </dependency>
     </dependencies>
 
     <build>
@@ -116,7 +124,13 @@
                             org.osgi.service.component; version="${osgi.service.component.imp.pkg.version.range}",
                             org.wso2.carbon.identity.claim.metadata.mgt.*;version="${carbon.identity.package.import.version.range}",
                             org.wso2.carbon.idp.mgt;version="${carbon.identity.package.import.version.range}",
-                            org.wso2.carbon.identity.application.common.model.*;version="${carbon.identity.package.import.version.range}"
+                            org.wso2.carbon.identity.application.common.model.*;version="${carbon.identity.package.import.version.range}",
+                            org.wso2.carbon.identity.organization.management.service.exception;
+                            version="${org.wso2.carbon.identity.organization.management.core.version.range}",
+                            org.wso2.carbon.identity.organization.management.service.util;
+                            version="${org.wso2.carbon.identity.organization.management.core.version.range}",
+                            org.wso2.carbon.identity.organization.management.organization.user.sharing.util;
+                            version="${org.wso2.carbon.identity.organization.management.version.range}"
                         </Import-Package>
                         <Export-Package>
                             !org.wso2.carbon.identity.input.validation.mgt.internal,
  • components/input-validation-mgt/org.wso2.carbon.identity.input.validation.mgt/src/main/java/org/wso2/carbon/identity/input/validation/mgt/listener/InputValidationListener.java+28 0 modified
    @@ -21,6 +21,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import org.apache.logging.log4j.message.StringFormattedMessage;
+import org.wso2.carbon.context.PrivilegedCarbonContext;
 import org.wso2.carbon.identity.core.AbstractIdentityUserOperationEventListener;
 import org.wso2.carbon.identity.core.util.IdentityCoreConstants;
 import org.wso2.carbon.identity.core.util.IdentityTenantUtil;
@@ -35,6 +36,9 @@
 import org.wso2.carbon.identity.input.validation.mgt.services.InputValidationManagementService;
 import org.wso2.carbon.identity.input.validation.mgt.services.InputValidationManagementServiceImpl;
 import org.wso2.carbon.identity.mgt.policy.PolicyViolationException;
+import org.wso2.carbon.identity.organization.management.organization.user.sharing.util.OrganizationSharedUserUtil;
+import org.wso2.carbon.identity.organization.management.service.exception.OrganizationManagementException;
+import org.wso2.carbon.identity.organization.management.service.util.OrganizationManagementUtil;
 import org.wso2.carbon.user.core.UserStoreException;
 import org.wso2.carbon.user.core.UserStoreManager;
 import org.wso2.carbon.user.core.util.UserCoreUtil;
@@ -87,6 +91,12 @@ public boolean doPreAddUser(String userName, Object credential, String[] roleLis
         if (IS_USERNAME_VALIDATION_ENABLED && !UserCoreUtil.getSkipUsernamePatternValidationThreadLocal()) {
             validationRequiredFieldWithValues.put(USERNAME, userName);
         }
+        // Username validation should be skipped when sharing users to sub-organizations. Setting the relevant thread
+        // local flag to true to skip username validation in later stages of user creation as well.
+        if (skipUsernameValidation(claims)) {
+            validationRequiredFieldWithValues.remove(USERNAME);
+            UserCoreUtil.setSkipUsernamePatternValidationThreadLocal(true);
+        }
         return validate(validationRequiredFieldWithValues, userStoreManager);
     }
 
@@ -210,4 +220,22 @@ private boolean validateAgainstConfiguration(ValidationConfiguration configurati
         }
         return true;
     }
+
+    /**
+     * Skip username validation when sharing users to sub-organizations.
+     *
+     * @param claims User claims.
+     * @return True if username validation is to be skipped.
+     */
+    private boolean skipUsernameValidation(Map<String, String> claims) {
+
+        String tenantDomain = PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain();
+        try {
+            return OrganizationManagementUtil.isOrganization(tenantDomain) &&
+                    OrganizationSharedUserUtil.isSharedUser(claims);
+        } catch (OrganizationManagementException e) {
+            LOG.error("Error while checking if tenant: " + tenantDomain + " is an organization.", e);
+        }
+        return false;
+    }
 }
  • pom.xml+5 0 modified
    @@ -1278,6 +1278,11 @@
                 <artifactId>org.wso2.carbon.identity.organization.resource.sharing.policy.management</artifactId>
                 <version>${org.wso2.carbon.identity.organization.management.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.organization.management</groupId>
+                <artifactId>org.wso2.carbon.identity.organization.management.organization.user.sharing</artifactId>
+                <version>${org.wso2.carbon.identity.organization.management.version}</version>
+            </dependency>
 
             <dependency>
                 <groupId>org.wso2.carbon.identity.organization.management</groupId>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.