Summary

Digi On-Prem Manager password reset responses exposed different states for missing accounts, SSO accounts, and accounts without email addresses. An unauthenticated attacker could use those differences to determine whether a username existed.

This issue did not allow password reset or sign-in without valid credentials.

Preconditions

This advisory applies only when password reset is enabled and reachable by the attacker.

Solution

Update to Digi On-Prem Manager v26.06 or later.

Affected Versions

Digi On-Prem Manager versions before v26.06 with password reset enabled are affected.