diff --git a/src/Core/KeyManagement/Utilities/EncryptionParsing.cs b/src/Core/KeyManagement/Utilities/EncryptionParsing.cs
index 269ff51228..ffe8cb3134 100644
--- a/src/Core/KeyManagement/Utilities/EncryptionParsing.cs
+++ b/src/Core/KeyManagement/Utilities/EncryptionParsing.cs
@@ -6,7 +6,6 @@ public static class EncryptionParsing
 {
     /// <summary>
     /// Helper method to convert an encryption type string to an enum value.
-    /// Accepts formats like "Header.iv|ct|mac" or "Header" COSE format.
     /// </summary>
     public static EncryptionType GetEncryptionType(string encString)
     {
diff --git a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
index 54e432de84..b1bff766a4 100644
--- a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
@@ -111,7 +111,8 @@ public abstract class BaseRequestValidator<T> where T : class
         }
         else
         {
-            // 1. We need to check if the user is legitimate via the appropriate mechanism through.
+            // 1. We need to check if the user is legitimate via the contextually appropriate mechanism
+            // (webauthn, password, custom token, etc.).
             var valid = await ValidateContextAsync(context, validatorContext);
             var user = validatorContext.User;
             if (!valid)
@@ -123,8 +124,10 @@ public abstract class BaseRequestValidator<T> where T : class
             }
 
             // 1.5 Now check the version number of the client. Do this after ValidateContextAsync so that
-            // we prevent account enumeration. If we were to do this before we would validate that a given user
-            // could exist
+            // we prevent account enumeration. If we were to do this before ValidateContextAsync, then attackers
+            // could use a known invalid client version and make a request for a user (before we know if they have
+            // demonstrated ownership of the account via correct credentials) and identify if they exist by getting
+            // an error response back from the validator saying the user is not compatible with the client.
             await ValidateClientVersionAsync(context, validatorContext);
 
             // 2. Decide if this user belongs to an organization that requires SSO.
diff --git a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
index e78c7d161c..9a3d4dd711 100644
--- a/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/BaseRequestValidatorTests.cs
@@ -55,6 +55,7 @@ public class BaseRequestValidatorTests
     private readonly IAuthRequestRepository _authRequestRepository;
     private readonly IMailService _mailService;
     private readonly IUserAccountKeysQuery _userAccountKeysQuery;
+    private readonly IClientVersionValidator _clientVersionValidator;
 
     private readonly BaseRequestValidatorTestWrapper _sut;
 
@@ -78,6 +79,7 @@ public class BaseRequestValidatorTests
         _authRequestRepository = Substitute.For<IAuthRequestRepository>();
         _mailService = Substitute.For<IMailService>();
         _userAccountKeysQuery = Substitute.For<IUserAccountKeysQuery>();
+        _clientVersionValidator = Substitute.For<IClientVersionValidator>();
 
         _sut = new BaseRequestValidatorTestWrapper(
             _userManager,
@@ -97,7 +99,8 @@ public class BaseRequestValidatorTests
             _policyRequirementQuery,
             _authRequestRepository,
             _mailService,
-            _userAccountKeysQuery);
+            _userAccountKeysQuery,
+            _clientVersionValidator);
     }
 
     private void SetupRecoveryCodeSupportForSsoRequiredUsersFeatureFlag(bool recoveryCodeSupportEnabled)
diff --git a/test/Identity.Test/IdentityServer/RequestValidators/ClientVersionValidatorTests.cs b/test/Identity.Test/IdentityServer/RequestValidators/ClientVersionValidatorTests.cs
index 45fd26169a..65a9904246 100644
--- a/test/Identity.Test/IdentityServer/RequestValidators/ClientVersionValidatorTests.cs
+++ b/test/Identity.Test/IdentityServer/RequestValidators/ClientVersionValidatorTests.cs
@@ -40,7 +40,7 @@ public class ClientVersionValidatorTests
         Assert.False(ok);
         Assert.NotNull(ctx.ValidationErrorResult);
         Assert.True(ctx.ValidationErrorResult.IsError);
-        Assert.Equal("invalid_grant", ctx.ValidationErrorResult.Error);
+        Assert.Equal("invalid_client_version", ctx.ValidationErrorResult.Error);
     }
 
     [Fact]
diff --git a/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs b/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs
index dc6d80a730..bd8fcd4bda 100644
--- a/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs
+++ b/test/Identity.Test/Wrappers/BaseRequestValidatorTestWrapper.cs
@@ -66,8 +66,8 @@ IBaseRequestValidatorTestWrapper
         IPolicyRequirementQuery policyRequirementQuery,
         IAuthRequestRepository authRequestRepository,
         IMailService mailService,
-        IClientVersionValidator clientVersionValidator,
-        IUserAccountKeysQuery userAccountKeysQuery) :
+        IUserAccountKeysQuery userAccountKeysQuery,
+        IClientVersionValidator clientVersionValidator) :
          base(
             userManager,
             userService,