WSO2 Identity Server: OTP Account Lock State Bypass Allows Username Enumeration
CVE-2024-0391 Published on May 11, 2026
Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.
The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
Vulnerability Analysis
CVE-2024-0391 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.
Weakness Type
Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. This issue frequently occurs during authentication, where a difference in failed-login messages could allow an attacker to determine if the username is valid or not. These exposures can be inadvertent (bug) or intentional (design).
Products Associated with CVE-2024-0391
Want to know whenever a new CVE is published for Wso2 products? stack.watch will email you.
Affected Versions
WSO2 Identity Server:- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.379 is affected.
- Version 5.11.0 and below 5.11.0.426 is affected.
- Version 5.11.0 and below 5.11.0.431 is affected.
- Version 6.0.0 and below 6.0.0.253 is affected.
- Version 6.1.0 and below 6.1.0.254 is affected.
- Version 7.0.0 and below 7.0.0.131 is affected.
- Before 2.0.0 is unknown.
- Version 2.0.0 and below 2.0.0.318 is affected.
- Before 5.10.0 is unknown.
- Version 5.10.0 and below 5.10.0.267 is affected.
- Version 1.0.18 and below 1.0.18.7 is affected.
- Version 1.0.24, <= * is unaffected.
- Version 4.1.0 and below 4.1.0.8 is affected.
- Version 4.1.4 and below 4.1.4.9 is affected.
- Version 4.1.22, <= * is unaffected.
- Version 3.0.5 and below 3.0.5.8 is affected.
- Version 3.0.24 and below 3.0.24.6 is affected.
- Version 3.0.26 and below 3.0.26.16 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.