PYSEC-2026-3053

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/rucio-webui/PYSEC-2026-3053.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-3053
Aliases
Published
2026-07-13T14:36:38.666680Z
Modified
2026-07-13T16:32:44.020543348Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Rucio WebUI has Username Enumeration via Login Error Message
Details

Summary

The WebUI login endpoint returns distinct error messages depending on whether a supplied username exists, allowing unauthenticated attackers to enumerate valid usernames.

Details

When submitting invalid credentials to /ui/login, the WebUI responds with different error messages based on the existence of the provided username (identity). A non-existent username results in an error indicating that no account is associated with the identity, while an existing username with an incorrect password produces a different authentication-related error.

This behavioral difference allows an attacker to distinguish valid usernames from invalid ones by observing the response content.

Proof of Concept

Bogus Login (Non-existent Username "15251087")
Response contains:

Cannot get find any account associated with 15251087 identity.

Bogus Login (Existing Username "root", Wrong Password)
Response contains:

Cannot get auth token. It is possible that the presented identity root is not mapped to any Rucio account root.

The difference in error messages confirms whether a username exists.

Impact

An unauthenticated attacker can enumerate valid usernames, which may be leveraged for targeted password guessing, credential stuffing, or social engineering attacks.

Remediation / Mitigation

Return a generic authentication failure message for all login errors, regardless of whether the username exists. Avoid disclosing account or identity existence through error responses. Consider implementing rate limiting or additional login throttling to further reduce abuse.

Reources:

  • OWASP Authentication Cheat Sheet - Authentication and Error Messages: https://cheatsheetseries.owasp.org/cheatsheets/AuthenticationCheatSheet.html#authentication-and-error-messages
References

Affected packages

PyPI / rucio-webui

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
35.8.3
Introduced
36.0.0rc1
Fixed
38.5.4
Introduced
39.0.0rc1
Fixed
39.3.1

Affected versions

1.*
1.5.10
1.5.11
1.5.11.post1
1.5.11.post2
1.5.12
1.6.0
1.6.0.post1
1.6.0.post2
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.7
1.6.8
1.7.0
1.7.1
1.7.2
1.7.3
1.8.0
1.8.1
1.8.2
1.8.3
1.8.4
1.8.5
1.8.5.post1
1.9.0
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.10.0
1.10.0.post1
1.10.2
1.10.3
1.10.4
1.10.4.post1
1.10.5
1.10.6
1.11.0
1.11.0.post1
1.11.1
1.11.2
1.11.3
1.11.4
1.12.0
1.12.0.post1
1.12.1
1.12.2
1.12.2.post1
1.12.3
1.12.3.post1
1.12.4
1.12.5
1.12.5.post1
1.12.5.post2
1.12.6
1.13.0
1.13.0.post1
1.13.0.post2
1.13.1
1.13.2
1.14.0.post1
1.14.0.post2
1.14.1.post1
1.14.2
1.14.6
1.14.7
1.14.8
1.14.8.post1
1.14.8.post2
1.14.9
1.14.9.post1
1.15.0
1.15.0.post1
1.15.1
1.15.2
1.15.3
1.15.3.post1
1.15.4
1.15.4.post1
1.16.0
1.16.0.post1
1.16.1
1.16.2
1.16.3
1.17.0
1.17.1
1.17.2
1.17.2.post1
1.17.5
1.17.6
1.17.6.post1
1.17.6.post2
1.17.7
1.17.8
1.17.8.post1
1.17.8.post2
1.18.0
1.18.1
1.18.3
1.18.4
1.18.5
1.18.5.post1
1.18.6
1.18.6.post1
1.18.7
1.18.8
1.18.8.post1
1.18.9
1.19.0.post2
1.19.1
1.19.2
1.19.3
1.19.4
1.19.4.post1
1.19.4.post2
1.19.5
1.19.6
1.19.7
1.19.7.post1
1.19.8
1.20.0rc1
1.20.0
1.20.1
1.20.1.post1
1.20.2
1.20.3rc1
1.20.3rc2
1.20.3
1.20.4rc1
1.20.4rc2
1.20.4rc3
1.20.4
1.20.4.post1
1.20.4.post2
1.20.5
1.20.6
1.20.7
1.20.8
1.20.9
1.20.10
1.20.11
1.20.13
1.20.14
1.20.15
1.20.16
1.21.0.dev1
1.21.0rc1
1.21.0rc2
1.21.0rc3
1.21.0
1.21.0.post1
1.21.0.post2
1.21.1
1.21.2
1.21.3
1.21.4
1.21.5
1.21.6
1.21.7
1.21.8
1.21.10
1.21.10.post1
1.21.12
1.22.0.dev1
1.22.0.dev2
1.22.0.dev3
1.22.0rc1
1.22.0rc2
1.22.0
1.22.1
1.22.2
1.22.3
1.22.3.post1
1.22.4.dev1
1.22.4
1.22.6
1.22.6.post1
1.22.7
1.22.8
1.22.8.post1
1.23.0rc1
1.23.0rc2
1.23.0
1.23.1
1.23.2
1.23.2.post1
1.23.2.post2
1.23.4
1.23.5
1.23.5.post1
1.23.6
1.23.6.post1
1.23.7
1.23.7.post1
1.23.8
1.23.9
1.23.9.post1
1.23.9.post2
1.23.9.post3
1.23.9.post4
1.23.10
1.23.11
1.23.11.post1
1.23.11.post2
1.23.11.post3
1.23.11.post4
1.23.12
1.23.13
1.23.14
1.23.15
1.23.17
1.23.18
1.23.19
1.23.20
1.24.0rc1
1.24.0
1.24.1
1.24.1.post1
1.24.1.post2
1.24.1.post3
1.24.1.post4
1.24.2
1.24.2.post1
1.24.3
1.24.3.post1
1.24.4
1.24.5
1.24.5.post1
1.25.0rc1
1.25.0rc2
1.25.0
1.25.1
1.25.1.post1
1.25.2
1.25.3
1.25.3.post1
1.25.3.post2
1.25.4
1.25.4.post1
1.25.5
1.25.6
1.25.7
1.26.0rc1
1.26.0rc2
1.26.0
1.26.1
1.26.1.post1
1.26.2
1.26.4
1.26.5
1.26.6
1.26.7
1.26.7.post1
1.26.8
1.26.8.post1
1.26.9
1.26.10
1.26.11
1.26.12
1.26.13
1.26.14
1.26.15
1.26.16
1.26.17
1.26.18
1.27.0rc1
1.27.0rc2
1.27.0
1.27.0.post1
1.27.1
1.27.2
1.27.3
1.27.4
1.27.4.post1
1.27.5
1.27.7
1.27.9
1.27.10
1.27.11
1.27.12
1.28.0rc1
1.28.0rc2
1.28.0
1.28.1
1.28.2
1.28.3
1.28.4
1.28.5
1.28.6
1.28.7
1.29.0rc1
1.29.0rc2
1.29.0
1.29.1
1.29.2
1.29.2.post1
1.29.2.post2
1.29.3
1.29.3.post1
1.29.4
1.29.5
1.29.6
1.29.7
1.29.7.post1
1.29.8
1.29.9
1.29.10
1.29.11
1.29.12
1.29.13
1.29.14
1.29.15
1.29.16
1.29.17
1.29.18
1.29.19
1.30.0rc1
1.30.0rc2
1.30.0rc3
1.30.0
1.30.1
1.30.2
1.30.3
1.30.4
1.30.5
1.30.6
1.30.7
1.30.8
1.31.0rc1
1.31.0rc2
1.31.0rc3
1.31.0
1.31.1
1.31.2
1.31.3
1.31.4
1.31.5
1.31.6
1.31.7
32.*
32.0.0rc1
32.0.0rc2
32.0.0
32.1.0
32.2.0
32.3.0
32.3.1
32.4.0
32.5.0
32.5.0.post1
32.5.1
32.6.0
32.6.0.post1
32.7.0
32.8.0
32.8.1
32.8.2
32.8.3
32.8.4
32.8.5
32.8.6
33.*
33.0.0rc1
33.0.0rc2
33.0.0rc3
33.0.0
33.1.0
33.2.0
33.2.1
33.3.0
33.4.0
33.4.0.post1
33.5.0
33.6.0
33.6.1
34.*
34.0.0rc1
34.0.0rc2
34.0.0
34.1.0
34.2.0
34.3.0
34.4.0
34.4.1
34.4.2
34.4.3
34.5.0
34.6.0
35.*
35.0.0rc1
35.0.0rc2
35.0.0
35.0.1
35.1.0
35.1.1
35.2.0
35.2.1
35.3.0
35.4.0
35.4.1
35.5.0
35.6.0
35.6.1
35.7.0
35.8.0
35.8.1
35.8.2
36.*
36.0.0rc1
36.0.0rc2
36.0.0rc3
36.0.0rc4
36.0.0rc5
36.0.0
36.0.0.post1
36.0.0.post2
36.1.0
36.2.0
36.3.0
36.4.0
36.5.0
37.*
37.0.0rc1
37.0.0rc2
37.0.0rc3
37.0.0rc4
37.0.0
37.1.0
37.1.0.post1
37.2.0
37.3.0
37.4.0
37.5.0
37.6.0
37.7.0
37.7.1
38.*
38.0.0rc1
38.0.0rc2
38.0.0rc3
38.0.0
38.1.0
38.2.0
38.3.0
38.4.0
38.5.0
38.5.1
38.5.2
38.5.3
39.*
39.0.0rc1
39.0.0rc2
39.0.0
39.1.0
39.2.0
39.3.0

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/rucio-webui/PYSEC-2026-3053.yaml"