CVE Catalog

CVE-2026-53908

MediumCVSS 6.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile — higher than 24% of all known CVEs

Summary

MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses.

Risk Assessment

The risk is that an attacker can collect a list of valid user accounts, which can be used as a stepping stone for further attacks such as phishing or brute-force password attacks.

Recommendation

It is recommended to immediately update MCO to the latest available version if a patch has been released. If no update is available, consider implementing temporary mitigations such as restricting access to authentication functions or deploying response delay mechanisms.

Original NVD description (English source)

MCO is vulnerable to User Enumeration through authentication-related functionalities. The application returns distinguishable responses for valid and invalid users during username reminder and password reset operations. An attacker can leverage these differences to enumerate valid usernames and email addresses. Because vendor contact attempts were unsuccessful, the vulnerability has only been confirmed in version 25.3.3.1 but may also affect other versions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS