If catalog user account's password contains special character & , the catalog's web service call "login" method will fail with this user account even though this account is able to login catalog UI without any issue.
It's more of a restriction with XML. The XML language doesn't allow special characters within nodes in a XML document. So when the web service is invoked using XML document the & is not treated correctly.
It is not a bug with catalog neither a problem with web services.
To overcome this problem you can simply replace '&' with '&'
If you are using catalog web service call in PAM process , here has the information about how to pre-process the input parameter which contains special character & before .