CVE-2026-25138 - Vulnerability Analysis
MediumCVSS: 5.3Last Updated: February 27, 2026
Rucio - Authentication Bypass
Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable
Overview
Rucio < 35.8.3, < 38.5.4, and < 39.3.1 contain an information disclosure vulnerability caused by distinct error messages in the WebUI login endpoint, letting unauthenticated attackers enumerate valid usernames, exploit requires no authentication.
Severity & Score
Severity: Medium
CVSS Score: 5.3
Impact
Unauthenticated attackers can enumerate valid usernames, aiding further targeted attacks.
Mitigation
Update to versions 35.8.3, 38.5.4, or 39.3.1 or later.
References
- https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages
- https://github.com/rucio/rucio/releases/tag/35.8.3
- https://github.com/rucio/rucio/releases/tag/38.5.4
- https://github.com/rucio/rucio/releases/tag/39.3.1
- https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9
Related Resources
Details
- CVE ID
- CVE-2026-25138
- Severity
- Medium
- CVSS Score
- 5.3
- Type
- broken_authentication
- Status
- confirmed
CWE
- CWE-204
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N