GHSA-q3x8-6898-23g3: ibexa/user login enumerates user accounts

October 17, 2025

In v5, error messages could provide enough information to tell whether a user exists or not. This is resolved by ensuring the error messages are sufficiently ambigious.

References

developers.ibexa.co/security-advisories/ibexa-sa-2025-004-xss-and-enumeration-vulnerabilities-in-back-office
github.com/advisories/GHSA-q3x8-6898-23g3
github.com/ibexa/user
github.com/ibexa/user/security/advisories/GHSA-q3x8-6898-23g3

Code Behaviors & Features

Detect and mitigate GHSA-q3x8-6898-23g3 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →