CVE-2026-25138
published 2026-02-25CVE-2026-25138: Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.33%
24.5th percentile
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| cern | rucio | < 35.8.3 | 35.8.3 |
| cern | rucio | >= 36.0.0 < 38.5.4 | 38.5.4 |
| cern | rucio | >= 39.0.0 < 39.3.1 | 39.3.1 |
| rucio | rucio | < 35.8.3 | 35.8.3 |
| rucio | rucio | — | — |
| rucio | rucio | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Rucio WebUI has Username Enumeration via Login Error Message
osv·2026-02-25
CVE-2026-25138 [MEDIUM] Rucio WebUI has Username Enumeration via Login Error Message
Rucio WebUI has Username Enumeration via Login Error Message
### Summary
The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.
### Details
When submitting invalid credentials to `/ui/login`, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.
This behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.
### Proof of Concept
**Bogus Login (Non-
GHSA
Rucio WebUI has Username Enumeration via Login Error Message
ghsa·2026-02-25
CVE-2026-25138 [MEDIUM] CWE-204 Rucio WebUI has Username Enumeration via Login Error Message
Rucio WebUI has Username Enumeration via Login Error Message
### Summary
The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.
### Details
When submitting invalid credentials to `/ui/login`, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.
This behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.
### Proof of Concept
**Bogus Login (Non-
No detection rules found.
No public exploits indexed.
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messageshttps://github.com/rucio/rucio/releases/tag/35.8.3https://github.com/rucio/rucio/releases/tag/38.5.4https://github.com/rucio/rucio/releases/tag/39.3.1https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9
2026-02-25
Published