Description
MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.

Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Published: 2026-07-01
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MCO is vulnerable to User Enumeration through authentication‑related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations, enabling an attacker to identify legitimate usernames and email addresses. This is a credential disclosure weakness enumerated as CWE‑204, which can facilitate targeted phishing or credential‑guessing attacks.

Affected Systems

Affected by MyComplianceOffice MCO, version 25.3.3.1 has been confirmed to contain the vulnerability; other versions may also be impacted. No additional vendor or product information is available.

Risk and Exploitability

The CVSS score is 6.9, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Attack vectors are inferred to be via the web application, where an attacker can submit username reminder or password reset requests to observe distinct responses. No publicly documented exploits exist to date, but the ease of attempting such requests makes exploitation likely if the system is exposed to unauthenticated users.

Generated by OpenCVE AI on July 1, 2026 at 16:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy future MCO updates that contain the fix, once a patch is released by MyComplianceOffice.
  • Configure the application to return uniform responses for username reminder and password reset requests, eliminating user‑specific error messages.
  • Restrict or monitor access to the account recovery endpoints, applying IP filtering, rate limiting, or mandatory MFA for administrative accounts.

Generated by OpenCVE AI on July 1, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 12:45:00 +0000

Type Values Removed Values Added
Description MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.
Title User Enumeration in MCO
Weaknesses CWE-204
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-07-01T13:38:09.459Z

Reserved: 2026-06-11T07:44:52.179Z

Link: CVE-2026-53908

cve-icon Vulnrichment

Updated: 2026-07-01T13:38:04.577Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T17:00:05Z

Weaknesses
  • CWE-204

    Observable Response Discrepancy