Username Enumeration Vulnerability in Rejetto HFS by Rejetto
CVE-2026-61503

6.9MEDIUM

Key Information:

Vendor

Rejetto

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-61503?

The Rejetto HFS product versions 3.0.0 through 3.2.0 contain a vulnerability in the login process that discriminates responses based on the existence of entered usernames. This discrepancy allows remote attackers to ascertain valid usernames—specifically, the presence of accounts like the default admin account—through the responses received. Such information can be exploited to carry out password guessing attacks and potentially lead to session forgery, thus compromising user accounts.

Affected Version(s)

hfs 3.0.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Zach Hanley (@hacks_zach) of Horizon3.ai, in collaboration with Claude and Anthropic Research
.