Rucio WebUI has Username Enumeration via Login Error Message
Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rucio WebUI login endpoint returns distinct error messages for existing vs. non-existing usernames, allowing unauthenticated attackers to enumerate valid users.
The vulnerability exists in the Rucio WebUI login endpoint /ui/login, which responds with different error messages depending on whether the submitted username exists in the system. When a non-existent username is provided, the error message states "Cannot get find any account associated with identity." In contrast, an existing username with an incorrect password yields a different error: "Cannot get auth token. It is possible that the presented identity is not mapped to any Rucio account." This behavioral difference directly enables username enumeration [3].
An unauthenticated attacker can exploit this by sending a series of login requests with various usernames and analyzing the error responses. No authentication or special network access is required; the WebUI is typically exposed to the internet. The attacker can systematically determine which usernames are valid, building a list of legitimate accounts [3].
The impact of this vulnerability is that an attacker can compile a list of valid usernames, which can then be used for targeted attacks such as password guessing, credential stuffing, or social engineering campaigns. The enumeration lowers the barrier for further exploitation by reducing the search space for usernames [3].
The issue is fixed in Rucio versions 35.8.3, 38.5.4, and 39.3.1 by returning a generic authentication failure message for all login errors, regardless of username existence. This remediation aligns with the OWASP Authentication Cheat Sheet guidance to avoid disclosing account existence through error messages [1]. Users should upgrade to a patched version or apply the provided mitigation if upgrading is not immediately possible [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rucio-webuiPyPI | < 35.8.3 | 35.8.3 |
rucio-webuiPyPI | >= 36.0.0rc1, < 38.5.4 | 38.5.4 |
rucio-webuiPyPI | >= 39.0.0rc1, < 39.3.1 | 39.3.1 |
Affected products
1- rucio/ruciov5Range: < 35.8.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-38wq-6q2w-hcf9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25138ghsaADVISORY
- cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.htmlghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/35.8.3ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/38.5.4ghsax_refsource_MISCWEB
- github.com/rucio/rucio/releases/tag/39.3.1ghsax_refsource_MISCWEB
- github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.