Description
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Published: 2026-02-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via Username Enumeration
Action: Patch
AI Analysis

Impact

The vulnerability in the Rucio WebUI allows an unauthenticated user to learn whether a username exists by receiving distinct error messages during login. This reflects improper error handling (CWE‑204). Based on the description, an attacker could use this information to focus credential‑stuffing or social‑engineering attempts, but the flaw itself does not grant bypass or direct access to protected resources. The issue only exists in the login response; no authentication bypass or arbitrary command execution occurs.

Affected Systems

The issue affects the Rucio data‑management framework prior to release 35.8.3, 38.5.4, and 39.3.1. Versions 35.8.3, 38.5.4, and 39.3.1 (and later) contain the fix.

Risk and Exploitability

The CVSS score is 5.3, indicating a moderate impact. EPSS is less than 1%, suggesting a low exploitation probability for the current moment. The vulnerability is not listed in CISA’s KEV catalog. An attacker could exploit it by sending unauthenticated HTTP requests to the login endpoint and observing the error messages to enumerate usernames. The vector is most likely remote over HTTP/HTTPS, but no additional prerequisites are required.

Generated by OpenCVE AI on April 18, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rucio to at least version 35.8.3 (or the later fixed releases 38.5.4 or 39.3.1).
  • Restrict access to the Rucio WebUI to trusted IP ranges or VPN to limit exposure to unauthorized users.
  • Implement rate‑limiting or CAPTCHA on the login endpoint to reduce the feasibility of enumeration attempts.

Generated by OpenCVE AI on April 18, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-38wq-6q2w-hcf9 Rucio WebUI has Username Enumeration via Login Error Message
History

Fri, 27 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Cern
Cern rucio
CPEs cpe:2.3:a:cern:rucio:*:*:*:*:*:*:*:*
Vendors & Products Cern
Cern rucio

Thu, 26 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Rucio
Rucio rucio
Vendors & Products Rucio
Rucio rucio

Wed, 25 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Title Rucio WebUI has Username Enumeration via Login Error Message
Weaknesses CWE-204
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Cern Rucio
Rucio Rucio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T16:03:22.817Z

Reserved: 2026-01-29T14:03:42.540Z

Link: CVE-2026-25138

cve-icon Vulnrichment

Updated: 2026-02-26T16:03:10.105Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T20:23:47.457

Modified: 2026-02-27T17:35:41.793

Link: CVE-2026-25138

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T17:45:06Z

Weaknesses