cbcvebase.
CVE-2024-0391
published 2026-05-11

CVE-2024-0391: The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered…

PriorityP421medium4.3CVSS 3.1
AVNACLPRNUIRSUCLINAN
EPSS
0.18%
8.2th percentile
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.

Affected

21 ranges
VendorProductVersion rangeFixed in
wso2email_otp_authenticator>= 1.0.18 < 1.0.18.71.0.18.7
wso2identity_server>= 5.10.0 < 5.10.0.3795.10.0.379
wso2identity_server>= 5.11.0 < 5.11.0.4265.11.0.426
wso2identity_server>= 6.0.0 < 6.0.0.2536.0.0.253
wso2identity_server>= 6.1.0 < 6.1.0.2546.1.0.254
wso2identity_server>= 7.0.0 < 7.0.0.1317.0.0.131
wso2identity_server_as_key_manager>= 5.10.0 < 5.10.2675.10.267
wso2open_banking_iam>= 2.0.0 < 2.0.0.3182.0.0.318
wso2wso2_carbon_authenticator_library_for_emailotp>= 3.0.24 < 3.0.24.63.0.24.6
wso2wso2_carbon_authenticator_library_for_emailotp>= 3.0.26 < 3.0.26.163.0.26.16
wso2wso2_carbon_authenticator_library_for_emailotp>= 3.0.5 < 3.0.5.83.0.5.8
wso2wso2_carbon_authenticator_library_for_emailotp>= 4.1.0 < 4.1.0.84.1.0.8
wso2wso2_carbon_authenticator_library_for_emailotp>= 4.1.4 < 4.1.4.94.1.4.9
wso2wso2_identity_server>= 5.10.0 < 5.10.0.3795.10.0.379
wso2wso2_identity_server>= 5.11.0 < 5.11.0.4265.11.0.426
wso2wso2_identity_server>= 5.11.0 < 5.11.0.4315.11.0.431
wso2wso2_identity_server>= 6.0.0 < 6.0.0.2536.0.0.253
wso2wso2_identity_server>= 6.1.0 < 6.1.0.2546.1.0.254
wso2wso2_identity_server>= 7.0.0 < 7.0.0.1317.0.0.131
wso2wso2_identity_server_as_key_manager>= 5.10.0 < 5.10.0.2675.10.0.267
wso2wso2_open_banking_iam>= 2.0.0 < 2.0.0.3182.0.0.318
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.