Security Advisory WSO2-2025-4583/CVE-2025-13591

Published: 2026-05-03

Version: 1.0.0

Severity: Medium

CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVE IDs: CVE-2025-13591

AFFECTED PRODUCTS

  • WSO2 Identity Server: 7.1.0, 7.0.0

OVERVIEW

Username enumeration vulnerability in the authentication endpoint.

DESCRIPTION

Due to distinct system responses at the authentication endpoint based on user existence, the product can be exploited to perform a username enumeration attack. This can lead to information disclosure and potential privacy violations.

IMPACT

Successful exploitation of this vulnerability allows an attacker to discover valid usernames within the system. The discovery of valid usernames significantly increases the risk of subsequent attacks such as brute force attacks on user credentials, social engineering attacks, and information leakage. Attackers can leverage the list of usernames to craft targeted phishing emails or other social engineering campaigns to trick users into divulging sensitive information.

SOLUTION

Community Users (Open Source)

Apply the relevant fixes to your product using the public fix(es) provided below.

If applying the fix or update is not feasible, migrate to the latest unaffected version of the respective WSO2 product(s).

Support Subscription Holders

Update your product to the specified update level, or to a higher update level, to mitigate the identified vulnerability.

Info

WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.

Product Name Product Version Update Level
WSO2 Identity Server 7.1.0 42
WSO2 Identity Server 7.0.0 134

After apply the provided update or Public PR to the affected versions of the products, it is necessary to add the following configuration to the /repository/conf/deployment.toml file: 

[authentication.local_authenticators]
hide_user_existence=true

Applying the update alone is not sufficient; the deployment will remain vulnerable without the addition of this configuration.