OMERO.web displays unecessary user information when requesting to reset the password
Description
OMERO.web provides a web based client and plugin infrastructure. Prior to version 5.29.2, if an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user. This issue has been patched in version 5.29.2. A workaround involves disabling the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In OMERO.web before 5.29.2, a password reset error message reveals whether a given email or username exists, enabling user enumeration attacks.
OMERO.web, a Django-based web client for the OMERO platform, provides a "Forgot Password" feature to allow users to reset their passwords. Prior to version 5.29.2, when an error occurred during password reset (for example, if the provided email or username did not match any user), the error message displayed on the webpage could disclose whether the user identity was valid. Specifically, the application would return a detailed error message from the server rather than a generic message, revealing the existence or non-existence of the account [1][3].
The vulnerability is triggered without authentication, as the "Forgot Password" form is accessible to any visitor. No special privileges or user interaction beyond submitting the form are required. The root cause lies in the error handling logic: the server returned the raw error message from the backend (omero.CmdError) which included user-specific information, instead of returning a uniform message in all cases [4].
An attacker could exploit this by submitting various emails or usernames to the password reset endpoint and observing the error messages. If the message differs between an existing and non-existing user, the attacker can enumerate valid user accounts. This information disclosure can then be chained with other attacks, such as brute-force or targeted phishing, increasing the risk to user privacy and account security [1][3].
The issue has been patched in OMERO.web version 5.29.2. The fix ensures that regardless of the error outcome, the same generic message—"Password was reset. Check your mailbox."—is returned, preventing any information leakage [4]. For those unable to upgrade immediately, a workaround is available: disabling the "Forgot Password" option entirely by setting the configuration property omero.web.show_forgot_password to false [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
omero-webPyPI | < 5.29.2 | 5.29.2 |
Affected products
2- ome/omero-webv5Range: < 5.29.2
Patches
18aa2789e8f75Security vulnerability fix
2 files changed · +11 −5
CHANGELOG.md+7 −0 modified@@ -1,3 +1,10 @@ +5.29.2 (August 2025) +------------------ + +## Bug fixes + +- Security vulnerability fix [CVE-2025-54791](https://github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5r) + 5.29.1 (June 2025) ------------------
omeroweb/webadmin/views.py+4 −5 modified@@ -390,14 +390,13 @@ def getGuestConnection(server_id): conn._waitOnCmd(handle) finally: handle.close() - error = "Password was reset. Check your mailbox." form = None except omero.CmdError as exp: logger.error(exp.err) - try: - error = exp.err.parameters[exp.err.parameters.keys()[0]] - except Exception: - error = exp + + # always return the same message to prevent information leakage + error = "Password was reset. Check your mailbox." + else: form = ForgottonPasswordForm()
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-gpmg-4x4g-mr5rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54791ghsaADVISORY
- github.com/ome/omero-web/commit/8aa2789e8f759c73f1517abe9a0abd44e86644adghsax_refsource_MISCWEB
- github.com/ome/omero-web/security/advisories/GHSA-gpmg-4x4g-mr5rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.