CVE-2026-33638
User Enumeration Vulnerability in Ech0 API Exposes User Data
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ech0 | ech0 | to 4.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33638 is a vulnerability in the Ech0 open-source publishing platform where the GET /api/allusers endpoint was publicly accessible without requiring authentication prior to version 4.2.0.
This means that anyone, even without logging in, could access this endpoint and retrieve user records including profile metadata.
The issue was caused by the endpoint being registered under public routes instead of protected routes, resulting in a missing authorization check (CWE-862).
The vulnerability was fixed by moving the /api/allusers route to require authentication, ensuring only authorized users can access it.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows remote unauthenticated user enumeration and exposure of user profile metadata through a publicly accessible API endpoint. This exposure of user data without proper authorization could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Specifically, the unauthorized disclosure of user profile metadata may violate principles of confidentiality and data minimization mandated by these standards, potentially resulting in regulatory penalties or increased risk of targeted attacks.
How can this vulnerability impact me? :
This vulnerability allows remote unauthenticated attackers to enumerate user accounts and access user profile metadata without any credentials.
Such exposure can facilitate targeted attacks, such as credential stuffing or social engineering, by providing attackers with information about valid users.
It poses a moderate security risk as it leaks confidential user information, although it does not affect data integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending an unauthenticated GET request to the /api/allusers endpoint and observing the response.
If the response returns user profile metadata with HTTP status 200 OK without requiring authentication, the system is vulnerable.
A simple command to test this using curl would be:
- curl -i http://<target-host>/api/allusers
If the response includes user data and does not return a 401 Unauthorized status, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Ech0 to version 4.2.0 or later, where the /api/allusers endpoint is protected by authentication.
This update moves the /allusers route from a public route group to an authenticated route group, enforcing access control.
Until the upgrade can be applied, restrict access to the /api/allusers endpoint by network controls such as firewall rules or API gateway policies to prevent unauthenticated access.