CVE-2025-14243 PUBLISHED

Mirror-registry: openshift mirror registry: user enumeration via authentication error messages

Assigner: redhat
Reserved: 08.12.2025 Published: 08.04.2026 Updated: 08.04.2026

A flaw was found in the OpenShift Mirror Registry. This vulnerability allows an unauthenticated, remote attacker to enumerate valid usernames and email addresses via different error messages during authentication failures and account creation.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 5.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	mirror registry for Red Hat OpenShift
Versions	Default: affected

Vendor	Red Hat
Product	mirror registry for Red Hat OpenShift 2
Versions	Default: affected

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Credits

Red Hat would like to thank Antony Di Scala and Michael Whale for reporting this issue.

References

Problem Types

Generation of Error Message Containing Sensitive Information CWE