Username Enumeration Vulnerability in WSO2 Products
CVE-2025-1396

3.7LOW

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Wso2 Open Banking Iam; Wso2 Identity Server As Key Manager
Vendor: CVE Published:; 26 September 2025

What is CVE-2025-1396?

A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. This results in the application returning a distinct 'User does not exist' message upon failed login attempts, independent of the username validation setting. Malicious actors can exploit this response characteristic to ascertain which usernames are valid within the system. This information could facilitate brute-force attacks, targeted phishing campaigns, and other social engineering techniques by confirming the presence of valid user identifiers.

Affected Version(s)

WSO2 Identity Server 5.10.0 < 5.10.0.346

WSO2 Identity Server 5.11.0 < 5.11.0.395

WSO2 Identity Server 6.0.0 < 6.0.0.231

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 26, 2025
Vulnerability Reserved
Feb 17, 2025

JSON

Wso2

What is CVE-2025-1396?

Affected Version(s)

References

CVSS V3.1

Timeline