What is CVE-2026-25138?

CVE-2026-25138 is a medium-severity vulnerability in Rucio, classified under Observable Response Discrepancy. CVSS score: 5.3/10. Published 2026-02-25.

How severe is CVE-2026-25138?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Rucio

CVE-2026-25138

Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Prior to versions 35.8.3, 38.5.4, and 39.3.1, the WebUI login endpoint returns distinct…

EPSS: 0.001 (23.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

Rucio — versions < 35.8.3, >= 36.0.0rc1, < 38.5.4, >= 39.0.0rc1, < 39.3.1

Weakness classification (CWE)

CWE-204 — Observable Response Discrepancy

References

https://github.com/rucio/rucio/security/advisories/GHSA-38wq-6q2w-hcf9 (x_refsource_CONFIRM)
https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages (x_refsource_MISC)
https://github.com/rucio/rucio/releases/tag/35.8.3 (x_refsource_MISC)
https://github.com/rucio/rucio/releases/tag/38.5.4 (x_refsource_MISC)
https://github.com/rucio/rucio/releases/tag/39.3.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-25138?: CVE-2026-25138 is a medium-severity vulnerability in Rucio, classified under Observable Response Discrepancy. CVSS score: 5.3/10. Published 2026-02-25.
How severe is CVE-2026-25138?: Medium severity. CVSS v3 base score is 5.3 out of 10.