Zero Day MonitorZDM

← Back to list

5.3

CVE-2024-0391EXPLOITEDPATCHED

wso2 · wso2 identity server

Username Enumeration via Email OTP Flow in Multiple WSO2 Products Allows User Account Discovery

Description

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.

Affected Products

Vendor	Product	Versions
wso2	wso2 identity server	5.10.0, 5.11.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0, 2.0.0, 5.10.0, 1.0.18, 4.1.0, 4.1.4, 3.0.5, 3.0.24, 3.0.26

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3115/(vendor-advisory)

Related News (1 articles)

Tier C

VulDB47d ago

CVE-2024-0391 | WSO2 Identity Server prior 7.0.0.131 response discrepancy

→ No new info (linked only)

CVSS 3.15.3 MEDIUM

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

5.10.0.3795.11.0.4265.11.0.4316.0.0.2536.1.0.2547.0.0.1312.0.0.3185.10.0.2671.0.18.71.0.244.1.0.84.1.4.94.1.223.0.5.83.0.24.63.0.26.16

CWECWE-204

PublishedMay 11, 2026

Last enriched47d agov2

Trending Score0

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-2053EXP

Unauthenticated Server-Side Request Forgery via WS-Addressing in WSO2 API Manager

HIGHCVE-2025-10908EXP

Account Lock Bypass via Magic Link or Pass Key Authentication in WSO2 Identity Server Allows Unauthorized Access

MEDIUMCVE-2025-9973

Authorization Bypass via Adaptive Authentication in WSO2 Identity Server Allows Cross-Organization Account Takeover

MEDIUMCVE-2025-8325EXP

Improper Access Control via Gateway API in Multiple WSO2 Products Allows Unauthorized Operations

HIGHCVE-2024-2374

XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 11, 2026

Discovered by ZDM

May 11, 2026

Updated: severity, activelyExploited

May 11, 2026

Actively Exploited

May 11, 2026

Patch Available

May 11, 2026

Version History

v2

Last enriched 47d ago

v2Tier C47d ago

Updated product list to include Open Banking IAM and changed severity to HIGH, while noting that no exploit is available.

severityactivelyExploited

via VulDB

v147d ago

Initial creation