CVE-2026-25138

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25138

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25138.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25138

Aliases

GHSA-38wq-6q2w-hcf9

Published

2026-02-25T19:28:35.628Z

Modified

2026-03-01T02:57:11.261611Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Rucio WebUI has Username Enumeration via Login Error Message

Details

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames. Versions 35.8.3, 38.5.4, and 39.3.1 fix the issue.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/25xxx/CVE-2026-25138.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-204"
    ]
}

References

Affected packages

Git / github.com/rucio/rucio

Affected ranges

Type

GIT

Repo

https://github.com/rucio/rucio

Events

Introduced

Fixed

ba9203702629af7bb1f95d5cf9ba8fcf1f943105

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "35.8.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/rucio/rucio

Events

Introduced

d98ebf29b58b30f07e1607d0245ac63006aeb634

Fixed

c851ad216e0e0e3d50405eab3331dfe21c96ddd3

Database specific

{
    "versions": [
        {
            "introduced": "36.0.0rc1"
        },
        {
            "fixed": "38.5.4"
        }
    ]
}

Type

GIT

Repo

https://github.com/rucio/rucio

Events

Introduced

000ea9fcba4980681d74af76ef355e0946fbbcc8

Fixed

ba2a7e66b1e3c73b5cf9e0000e6621e8dc45bfe7

Database specific

{
    "versions": [
        {
            "introduced": "39.0.0rc1"
        },
        {
            "fixed": "39.3.1"
        }
    ]
}

Affected versions

0.*

0.1.10

0.1.11

0.1.12

0.1.13

0.1.14

0.1.15

0.1.16

0.1.17

0.1.18

0.1.19

0.1.20

0.1.21

0.1.22

0.1.23

0.1.24

0.1.25

0.1.26

0.1.27

0.1.28

0.1.29

0.1.30

0.1.31

0.1.32

0.1.33

0.1.34

0.1.35

0.1.7

0.1.8

0.1.9

0.2.0

0.2.1

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.2

0.2.3

0.2.4

0.2.5

0.2.6

0.2.7

0.2.8

0.2.9

0.3.0

0.3.1

0.3.10

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.10.0

1.10.0.post1

1.10.1

1.10.2

1.10.3

1.10.4

1.10.4.post1

1.10.5

1.10.6

1.10.7

1.11.0

1.11.0.post1

1.11.1

1.11.2

1.11.3

1.11.4

1.12.0

1.12.0.post1

1.12.1

1.12.2

1.12.2.post1

1.12.3

1.12.3.post1

1.12.4

1.12.5

1.12.5.post1

1.12.5.post2

1.12.6

1.13.0

1.13.0.post1

1.13.1

1.13.3

1.14.0.post1

1.14.1.post1

1.14.10

1.14.11

1.14.2

1.14.3

1.14.4

1.14.5

1.14.6

1.14.7

1.14.8

1.14.8.post1

1.14.8.post2

1.14.9

1.14.9.post1

1.15.0

1.15.0.post1

1.15.1

1.15.2

1.15.3

1.15.3.post1

1.15.4

1.15.4.post1

1.15.5

1.16.0

1.16.0.post1

1.16.1

1.16.2

1.16.3

1.16.4

1.17.0

1.17.1

1.17.2

1.17.2.post1

1.17.3

1.17.4

1.17.5

1.17.6

1.17.6.post1

1.17.6.post2

1.17.7

1.17.8

1.17.8.post1

1.17.8.post2

1.18.0

1.18.1

1.18.2

1.18.3

1.18.4

1.18.5

1.18.5.post1

1.18.6

1.18.6.post1

1.18.7

1.18.8

1.18.8.post1

1.18.9

1.19.0

1.19.0.post1

1.19.0.post2

1.19.1

1.19.2

1.19.3

1.19.4

1.19.4.post1

1.19.4.post2

1.19.5

1.19.6

1.19.7

1.19.7.post1

1.19.8

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.5-1

1.2.5-2

1.2.5.post3

1.2.5.post4

1.20.0

1.20.0rc1

1.20.1

1.20.1.post1

1.20.2

1.20.3

1.20.3rc1

1.20.3rc2

1.20.4

1.20.4.post1

1.20.4.post2

1.20.4rc1

1.20.4rc2

1.20.4rc3

1.20.5

1.20.6

1.20.7

1.20.8

1.21.0

1.21.0.post1

1.21.0rc1

1.21.0rc2

1.21.0rc3

1.21.1

1.21.10

1.21.11

1.21.12

1.21.2

1.21.3

1.21.4

1.21.5

1.21.6

1.21.7

1.21.8

1.21.9

1.22.0

1.22.0.dev2

1.22.0.dev3

1.22.0rc1

1.22.0rc2

1.22.1

1.22.2

1.22.3

1.22.4

1.22.4.dev1

1.22.5

1.22.6

1.22.7

1.22.8

1.23.0

1.23.0rc1

1.23.0rc2

1.24.0

1.24.0rc1

1.25.0

1.25.0rc1

1.25.0rc2

1.26.0

1.26.0rc1

1.26.0rc2

1.27.0

1.27.0rc1

1.27.0rc2

1.28.0

1.28.0rc1

1.28.0rc2

1.29.0

1.29.0rc1

1.29.0rc2

1.3.0.post1

1.3.0.post2

1.3.1

1.3.1.post1

1.3.2

1.3.3

1.30.0

1.30.0rc1

1.30.0rc2

1.30.0rc3

1.31.0

1.4.0

1.4.0.post1

1.4.1

1.4.2

1.4.2.post1

1.4.3

1.4.4

1.4.5

1.4.6

1.5.0

1.5.1

1.5.10

1.5.11

1.5.11.post1

1.5.11.post2

1.5.12

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.9

1.6.0

1.6.0.post1

1.6.0.post2

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.7.0

1.7.1

1.7.2

1.7.3

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.5

1.8.5.post1

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

32.*

32.0.0

32.0.0rc1

32.0.0rc2

33.*

33.0.0

33.0.0rc1

33.0.0rc2

33.0.0rc3

34.*

34.0.0

34.0.0rc1

34.0.0rc2

35.*

35.0.0

35.0.0rc1

35.0.0rc2

35.0.1

35.1.0

35.1.1

35.2.0

35.2.1

35.3.0

35.4.0

35.4.1

35.5.0

35.6.0

35.6.1

35.7.0

35.8.0

35.8.2

36.*

36.0.0

36.0.0rc1

36.0.0rc2

36.0.0rc3

36.0.0rc4

36.0.0rc5

37.*

37.0.0

37.0.0rc1

37.0.0rc2

37.0.0rc3

37.0.0rc4

38.*

38.0.0

38.0.0rc1

38.0.0rc2

38.0.0rc3

38.1.0

38.2.0

38.3.0

38.4.0

38.5.0

38.5.1

38.5.2

38.5.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25138.json"