Email address enumeration in password reset #1636

New Issue

Closed

opened 2026-02-05 01:28:44 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-05 01:28:44 +03:00

Owner

Copy Link

Originally created by @Cave-Johnson on GitHub (Apr 8, 2020).

Describe the bug
The password reset form allows for usernames / email addresses to be enumerated. A valid email address shows the message:
"A password reset link has been sent to email@email.com"

where as a non existent email shows the error:
"We can't find a user with that e-mail address."

Steps To Reproduce
Steps to reproduce the behavior:

1. Go to the forgotten password page
2. Enter a valid and invalid email address
3. Observe responses from the application

Expected behavior
The application should respond to invalid email addresses with the same generic error response as a valid email, thereby not indicating to an attacker the validity of the value submitted preventing username enumeration

Originally created by @Cave-Johnson on GitHub (Apr 8, 2020). **Describe the bug** The password reset form allows for usernames / email addresses to be enumerated. A valid email address shows the message: "A password reset link has been sent to email@email.com" where as a non existent email shows the error: "We can't find a user with that e-mail address." **Steps To Reproduce** Steps to reproduce the behavior: 1. Go to the forgotten password page 2. Enter a valid and invalid email address 3. Observe responses from the application **Expected behavior** The application should respond to invalid email addresses with the same generic error response as a valid email, thereby not indicating to an attacker the validity of the value submitted preventing username enumeration

OVERLORD added the 🚪 Authentication🔒 Security🏭 Back-End labels 2026-02-05 01:28:44 +03:00

OVERLORD closed this issue 2026-02-05 01:28:46 +03:00

OVERLORD commented 2026-02-05 01:28:49 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Apr 9, 2020):

Thanks for raising @Cave-Johnson.

It's a good point, I know some services differ as there's an argument of the current state providing a potential better user-experience, to avoid cases such as mis-typed emails or a user entering their wrong email, but we can't assume the environments BookStack will be used in so we should err on the side of caution & security.

Have assigned to be part of the next release.

@ssddanbrown commented on GitHub (Apr 9, 2020): Thanks for raising @Cave-Johnson. It's a good point, I know some services differ as there's an argument of the current state providing a potential better user-experience, to avoid cases such as mis-typed emails or a user entering their wrong email, but we can't assume the environments BookStack will be used in so we should err on the side of caution & security. Have assigned to be part of the next release.

OVERLORD commented 2026-02-05 01:28:53 +03:00

Author

Owner

Copy Link

@Cave-Johnson commented on GitHub (Apr 9, 2020):

Thanks for the prompt reply!

Perhaps if the generic error showed said something a long the lines of "If this is a registered email address on this instance of bookstack, a password reset link will be sent to the address specified" it would give a user enough information and maintain the security of the password reset functionality?

@Cave-Johnson commented on GitHub (Apr 9, 2020): Thanks for the prompt reply! Perhaps if the generic error showed said something a long the lines of "If this is a registered email address on this instance of bookstack, a password reset link will be sent to the address specified" it would give a user enough information and maintain the security of the password reset functionality?

OVERLORD commented 2026-02-05 01:28:57 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Apr 10, 2020):

I've made the updates to this system now.

The notification will show as "A password reset link will be sent to <input_email> if that email address is found in the system.".

I've also updated the follow-on form, where the new password get's set, to show an invalid token warning if the given email given does not exist, instead of a non-existing user warning.

This will be part of the next feature release, v0.29.

@ssddanbrown commented on GitHub (Apr 10, 2020): I've made the updates to this system now. The notification will show as "A password reset link will be sent to <input_email> if that email address is found in the system.". I've also updated the follow-on form, where the new password get's set, to show an invalid token warning if the given email given does not exist, instead of a non-existing user warning. This will be part of the next feature release, v0.29.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label 🚪 Authentication 🏭 Back-End 🔒 Security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1636