Description
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.

The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
Published: 2026-05-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The email OTP flow in several WSO2 products validates user input incorrectly, allowing an attacker to determine whether a given email address is registered as a user account. This constitutes an account enumeration vulnerability, enabling an adversary to gather a list of valid usernames that can later be targeted for brute‑force or social‑engineering attacks. The weakness is classified as CWE‑204, a flaw in how input is validated when checking account lock states.

Affected Systems

The affected products include WSO2 Email OTP Authenticator, the WSO2 Carbon Authenticator Library for EmailOTP, WSO2 Identity Server, WSO2 Identity Server as Key Manager, and WSO2 Open Banking IAM. No specific version constraints were provided, so all released versions of these components are potentially impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low probability of being exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. An attacker could exploit this remotely by sending crafted OTP verification requests to the authentication endpoint, thereby inferring the existence of registered accounts needed to launch further attacks.

Generated by OpenCVE AI on May 11, 2026 at 17:06 UTC.

Remediation

Vendor Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution

OpenCVE Recommended Actions

  • Follow the patch instructions detailed in the WSO2 security advisory to permanently fix the input validation flaw.
  • Restrict access to the OTP authentication endpoint by permitting only trusted IP ranges or internal networks to reduce the attack surface for enumeration attempts.
  • Implement additional rate‑limiting or multi‑factor authentication controls to deter automated enumeration and mitigate the impact of any residual discovery capability.

Generated by OpenCVE AI on May 11, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wso2 identity Server
Wso2 identity Server As Key Manager
Wso2 open Banking Iam
Vendors & Products Wso2 identity Server
Wso2 identity Server As Key Manager
Wso2 open Banking Iam

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
Title Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery
First Time appeared Wso2
Wso2 email Otp Authenticator
Wso2 wso2 Carbon Authenticator Library For Emailotp
Wso2 wso2 Identity Server
Wso2 wso2 Identity Server As Key Manager
Wso2 wso2 Open Banking Iam
Weaknesses CWE-204
CPEs cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*
Vendors & Products Wso2
Wso2 email Otp Authenticator
Wso2 wso2 Carbon Authenticator Library For Emailotp
Wso2 wso2 Identity Server
Wso2 wso2 Identity Server As Key Manager
Wso2 wso2 Open Banking Iam
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Wso2 Email Otp Authenticator Identity Server Identity Server As Key Manager Open Banking Iam Wso2 Carbon Authenticator Library For Emailotp Wso2 Identity Server Wso2 Identity Server As Key Manager Wso2 Open Banking Iam
cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2026-05-11T12:46:03.691Z

Reserved: 2024-01-10T09:02:14.122Z

Link: CVE-2024-0391

cve-icon Vulnrichment

Updated: 2026-05-11T12:45:59.492Z

cve-icon NVD

Status : Received

Published: 2026-05-11T10:16:11.593

Modified: 2026-05-11T10:16:11.593

Link: CVE-2024-0391

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:00:06Z

Weaknesses