CVE-2026-25138

Name of the Vulnerable Software and Affected Versions Rucio versions prior to 35.8.3 Rucio versions prior to 38.5.4 Rucio versions prior to 39.3.1

Description Rucio’s WebUI login endpoint, /ui/login, returns different error messages based on whether a supplied username exists. This allows unauthenticated attackers to enumerate valid usernames. Specifically, a non-existent username results in an error message indicating no associated account, while an existing username with an incorrect password produces a different authentication error. This behavioral difference enables attackers to determine valid usernames. Exploitation of this issue may allow for targeted password guessing, credential stuffing, or social engineering attacks.

Recommendations For versions prior to 35.8.3, return a generic authentication failure message for all login errors, regardless of whether the username exists. For versions prior to 38.5.4, return a generic authentication failure message for all login errors, regardless of whether the username exists. For versions prior to 39.3.1, return a generic authentication failure message for all login errors, regardless of whether the username exists.