CVE-2024-0391

EUVD-2024-16187

11.05.2026, 10:16

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.

The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 8%

Affected Products (NVD)

Vendor	Product	Version
wso2	identity_server	5.10.0 ≤ 𝑥 < 5.10.0.379
wso2	identity_server	5.11.0 ≤ 𝑥 < 5.11.0.426
wso2	identity_server	6.0.0 ≤ 𝑥 < 6.0.0.253
wso2	identity_server	6.1.0 ≤ 𝑥 < 6.1.0.254
wso2	identity_server	7.0.0 ≤ 𝑥 < 7.0.0.131
wso2	identity_server_as_key_manager	5.10.0 ≤ 𝑥 < 5.10.267
wso2	open_banking_iam	2.0.0 ≤ 𝑥 < 2.0.0.318

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-204 - Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/