Intel

AIKIDO-2026-223996

django-rest-passwordreset is vulnerable to User Enumeration

User Enumeration Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

20

Low Risk

This Affects:

PYTHONdjango-rest-passwordreset
0.9.0 - 1.5.0
Fixed in 1.6.0
Are you affected? Scan for Free

TL;DR

The password-reset request endpoint (POST .../reset_password/) discloses whether an account exists by returning HTTP 400 with an email error for unknown or ineligible accounts while returning HTTP 200 for valid ones, forming a user-enumeration oracle. The token-validation and password-confirm endpoints also hard-code throttle_classes = (), so an operator's global DRF throttle configuration is silently bypassed on these security-critical flows, and they return distinct error messages that reveal token state (missing vs expired). An unauthenticated attacker can enumerate valid accounts and, when a weak token generator is configured, brute-force reset tokens without rate limiting. The fix defaults DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE to true so the request endpoint always returns a generic 200, stops overriding global throttles on validate/confirm, and returns a single generic 404 for all token failures.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and have not set DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE = True (available from 1.1.0 onward).

Background info

django-rest-passwordreset is vulnerable to User Enumeration in versions 0.9.0 - 1.5.0.

How to fix this

Upgrade the django-rest-passwordreset library to the patch version. On versions 1.1.0 and later you can also set DJANGO_REST_PASSWORDRESET_NO_INFORMATION_LEAKAGE = True to close the user-enumeration oracle without upgrading.