Description

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based on observable discrepancies in the application's responses. Exploitation of this vulnerability could aid in brute-force attacks, targeted phishing campaigns, or other social engineering techniques by confirming the validity of user identifiers within the system.

INFO

Published Date :

2025-09-26T07:52:52.297Z

Last Modified :

2025-09-30T15:43:31.106Z

Source :

WSO2
AFFECTED PRODUCTS

The following products are affected by CVE-2025-1396 vulnerability.

Vendors Products
Wso2
  • Identity Server
  • Identity Server As Key Manager
  • Open Banking Iam
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-1396.

URL Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3983/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact