{"api_version":"1","generated_at":"2026-05-13T01:06:29+00:00","cve":"CVE-2024-0391","urls":{"html":"https://cve.report/CVE-2024-0391","api":"https://cve.report/api/cve/CVE-2024-0391.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-0391","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-0391"},"summary":{"title":"Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery","description":"The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.","state":"PUBLISHED","assigner":"WSO2","published_at":"2026-05-11 10:16:11","updated_at":"2026-05-11 10:16:11"},"problem_types":["CWE-204","CWE-204 CWE-204 Observable response discrepancy"],"metrics":[{"version":"3.1","source":"ed10eef1-636d-4fbe-9993-6890dfa878f8","type":"Secondary","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"5.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/","name":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/","refsource":"ed10eef1-636d-4fbe-9993-6890dfa878f8","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-0391","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0391","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"unknown 5.10.0 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 5.10.0 5.10.0.379 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 5.11.0 5.11.0.426 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 5.11.0 5.11.0.431 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 6.0.0 6.0.0.253 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 6.1.0 6.1.0.254 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 7.0.0 7.0.0.131 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Open Banking IAM","version":"unknown 2.0.0 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Open Banking IAM","version":"affected 2.0.0 2.0.0.318 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server as Key Manager","version":"unknown 5.10.0 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server as Key Manager","version":"affected 5.10.0 5.10.0.267 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"Email OTP Authenticator","version":"affected 1.0.18 1.0.18.7 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"Email OTP Authenticator","version":"unaffected 1.0.24 * custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Carbon Authenticator Library For EmailOTP","version":"affected 4.1.0 4.1.0.8 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Carbon Authenticator Library For EmailOTP","version":"affected 4.1.4 4.1.4.9 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Carbon Authenticator Library For EmailOTP","version":"unaffected 4.1.22 * custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Carbon Authenticator Library For EmailOTP","version":"affected 3.0.5 3.0.5.8 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Carbon Authenticator Library For EmailOTP","version":"affected 3.0.24 3.0.24.6 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Carbon Authenticator Library For EmailOTP","version":"affected 3.0.26 3.0.26.16 custom","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2024","cve_id":"391","cve":"CVE-2024-0391","epss":"0.000230000","percentile":"0.066000000","score_date":"2026-05-12","updated_at":"2026-05-13 00:11:53"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"WSO2 Identity Server","vendor":"WSO2","versions":[{"lessThan":"5.10.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"5.10.0.379","status":"affected","version":"5.10.0","versionType":"custom"},{"lessThan":"5.11.0.426","status":"affected","version":"5.11.0","versionType":"custom"},{"lessThan":"5.11.0.431","status":"affected","version":"5.11.0","versionType":"custom"},{"lessThan":"6.0.0.253","status":"affected","version":"6.0.0","versionType":"custom"},{"lessThan":"6.1.0.254","status":"affected","version":"6.1.0","versionType":"custom"},{"lessThan":"7.0.0.131","status":"affected","version":"7.0.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Open Banking IAM","vendor":"WSO2","versions":[{"lessThan":"2.0.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"2.0.0.318","status":"affected","version":"2.0.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Identity Server as Key Manager","vendor":"WSO2","versions":[{"lessThan":"5.10.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"5.10.0.267","status":"affected","version":"5.10.0","versionType":"custom"}]},{"defaultStatus":"unknown","packageName":"org.wso2.carbon.identity.local.auth.emailotp:org.wso2.carbon.identity.local.auth.emailotp","product":"Email OTP Authenticator","vendor":"WSO2","versions":[{"lessThan":"1.0.18.7","status":"affected","version":"1.0.18","versionType":"custom"},{"lessThanOrEqual":"*","status":"unaffected","version":"1.0.24","versionType":"custom"}]},{"defaultStatus":"unknown","packageName":"org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.identity.authenticator.emailotp","product":"WSO2 Carbon Authenticator Library For EmailOTP","vendor":"WSO2","versions":[{"lessThan":"4.1.0.8","status":"affected","version":"4.1.0","versionType":"custom"},{"lessThan":"4.1.4.9","status":"affected","version":"4.1.4","versionType":"custom"},{"lessThanOrEqual":"*","status":"unaffected","version":"4.1.22","versionType":"custom"}]},{"defaultStatus":"unknown","packageName":"org.wso2.carbon.extension.identity.authenticator.outbound.emailotp:org.wso2.carbon.extension.identity.authenticator.emailotp.connector","product":"WSO2 Carbon Authenticator Library For EmailOTP","vendor":"WSO2","versions":[{"lessThan":"3.0.5.8","status":"affected","version":"3.0.5","versionType":"custom"},{"lessThan":"3.0.24.6","status":"affected","version":"3.0.24","versionType":"custom"},{"lessThan":"3.0.26.16","status":"affected","version":"3.0.26","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.0.379","versionStartIncluding":"5.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"5.11.0.426","versionStartIncluding":"5.11.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"5.11.0.431","versionStartIncluding":"5.11.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"6.0.0.253","versionStartIncluding":"6.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.0.254","versionStartIncluding":"6.1.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"7.0.0.131","versionStartIncluding":"7.0.0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*","versionEndExcluding":"2.0.0.318","versionStartIncluding":"2.0.0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.0.267","versionStartIncluding":"5.10.0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*","versionEndExcluding":"1.0.18.7","versionStartIncluding":"1.0.18","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:email_otp_authenticator:*:*:*:*:*:*:*:*","versionEndIncluding":"*","versionStartIncluding":"1.0.24","vulnerable":false}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*","versionEndExcluding":"4.1.0.8","versionStartIncluding":"4.1.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*","versionEndExcluding":"4.1.4.9","versionStartIncluding":"4.1.4","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*","versionEndIncluding":"*","versionStartIncluding":"4.1.22","vulnerable":false}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*","versionEndExcluding":"3.0.5.8","versionStartIncluding":"3.0.5","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*","versionEndExcluding":"3.0.24.6","versionStartIncluding":"3.0.24","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_carbon_authenticator_library_for_emailotp:*:*:*:*:*:*:*:*","versionEndExcluding":"3.0.26.16","versionStartIncluding":"3.0.26","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences."}],"value":"The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences."}],"impacts":[{"capecId":"CAPEC-249","descriptions":[{"lang":"en","value":"CAPEC-249 CAPEC-249: Inferential Information Gathering"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-204","description":"CWE-204 Observable response discrepancy","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-05-11T08:45:33.754Z","orgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","shortName":"WSO2"},"references":[{"tags":["vendor-advisory"],"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution</span></a> <br>"}],"value":"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/#solution"}],"source":{"advisory":"WSO2-2024-3115","discovery":"INTERNAL"},"title":"Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","assignerShortName":"WSO2","cveId":"CVE-2024-0391","datePublished":"2026-05-11T08:45:33.754Z","dateReserved":"2024-01-10T09:02:14.122Z","dateUpdated":"2026-05-11T08:45:33.754Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-05-11 10:16:11","lastModifiedDate":"2026-05-11 10:16:11","problem_types":["CWE-204","CWE-204 CWE-204 Observable response discrepancy"],"metrics":{"cvssMetricV31":[{"source":"ed10eef1-636d-4fbe-9993-6890dfa878f8","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"391","Ordinal":"1","Title":"Username Enumeration via Email OTP Flow in Multiple WSO2 Product","CVE":"CVE-2024-0391","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"391","Ordinal":"1","NoteData":"The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.\n\nThe discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.","Type":"Description","Title":"Username Enumeration via Email OTP Flow in Multiple WSO2 Product"}]}}}