Vulnerability in User Account Validation for WSO2 Products
CVE-2024-0391

5.3MEDIUM

Key Information:

Vendor

Wso2

Status
Wso2 Identity Server
Wso2 Open Banking Iam
Wso2 Identity Server As Key Manager
Email Otp Authenticator
Vendor
CVE Published:
11 May 2026

What is CVE-2024-0391?

The email OTP flow in WSO2 Identity Server contains a flaw in its user account lock states feature, which does not adequately validate user input. This lack of validation enables attackers to enumerate valid usernames, posing a significant risk as it can facilitate brute-force and social engineering attacks. Consequently, attackers may launch targeted phishing campaigns to retrieve sensitive information from users, resulting in potential damage to organizational reputation, regulatory compliance issues, and significant financial implications.

Affected Version(s)

Email OTP Authenticator 1.0.18 < 1.0.18.7

WSO2 Carbon Authenticator Library For EmailOTP 4.1.0 < 4.1.0.8

WSO2 Carbon Authenticator Library For EmailOTP 4.1.4 < 4.1.4.9

References

https://security.docs.wso2.com/en/latest/security-announc...
vendor-advisory

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.