CVE-2026-33638
Received Received - Intake
User Enumeration Vulnerability in Ech0 API Exposes User Data

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33638
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ech0 ech0 to 4.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33638 is a vulnerability in the Ech0 open-source publishing platform where the GET /api/allusers endpoint was publicly accessible without requiring authentication prior to version 4.2.0.

This means that anyone, even without logging in, could access this endpoint and retrieve user records including profile metadata.

The issue was caused by the endpoint being registered under public routes instead of protected routes, resulting in a missing authorization check (CWE-862).

The vulnerability was fixed by moving the /api/allusers route to require authentication, ensuring only authorized users can access it.

Impact Analysis

This vulnerability allows remote unauthenticated attackers to enumerate user accounts and access user profile metadata without any credentials.

Such exposure can facilitate targeted attacks, such as credential stuffing or social engineering, by providing attackers with information about valid users.

It poses a moderate security risk as it leaks confidential user information, although it does not affect data integrity or availability.

Detection Guidance

This vulnerability can be detected by sending an unauthenticated GET request to the /api/allusers endpoint and observing the response.

If the response returns user profile metadata with HTTP status 200 OK without requiring authentication, the system is vulnerable.

A simple command to test this using curl would be:

  • curl -i http://<target-host>/api/allusers

If the response includes user data and does not return a 401 Unauthorized status, the vulnerability is present.

Mitigation Strategies

The immediate mitigation step is to upgrade Ech0 to version 4.2.0 or later, where the /api/allusers endpoint is protected by authentication.

This update moves the /allusers route from a public route group to an authenticated route group, enforcing access control.

Until the upgrade can be applied, restrict access to the /api/allusers endpoint by network controls such as firewall rules or API gateway policies to prevent unauthenticated access.

Compliance Impact

The vulnerability allows remote unauthenticated user enumeration and exposure of user profile metadata through a publicly accessible API endpoint. This exposure of user data without proper authorization could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Specifically, the unauthorized disclosure of user profile metadata may violate principles of confidentiality and data minimization mandated by these standards, potentially resulting in regulatory penalties or increased risk of targeted attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33638. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart