CVE-2026-33877
Timing Side-Channel Allows Account Enumeration in ApostropheCMS
Publication date: 2026-04-15
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apostrophecms | apostrophecms | to 4.29.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-208 | Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33877 is a timing side-channel vulnerability in the password reset endpoint of ApostropheCMS versions 4.28.0 and earlier. The vulnerability allows unauthenticated attackers to determine whether a username or email exists in the system by measuring differences in response times.
When a user is not found, the system responds after a fixed 2-second delay. However, if a valid user is found, the system performs database updates and sends an email without adding an equivalent delay. This causes the response time to differ measurably between valid and invalid users.
Because the endpoint accepts both username and email in a single query and lacks rate limiting, attackers can automate requests to enumerate valid accounts. This can be used for credential stuffing or targeted phishing attacks.
Only ApostropheCMS instances with the password reset feature explicitly enabled are affected, as it is disabled by default. The issue was fixed in version 4.29.0 by normalizing response times and adding rate limiting.
How can this vulnerability impact me? :
This vulnerability allows attackers to enumerate valid usernames and email addresses without authentication by exploiting timing differences in the password reset endpoint.
- Attackers can confirm the existence of user accounts, which facilitates targeted credential stuffing attacks using known valid usernames or emails.
- It enables targeted phishing campaigns against confirmed users by providing attackers with verified account information.
- The lack of rate limiting on the password reset endpoint allows rapid automated probing, increasing the scale and speed of enumeration attacks.
Overall, this can lead to increased risk of account compromise and social engineering attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by measuring the response times of the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) when submitting usernames or emails. Invalid users consistently trigger a fixed 2-second delay, while valid users cause variable response times due to database updates and email sending operations.
To detect the vulnerability, you can perform repeated POST requests to the password reset endpoint with different usernames or emails and analyze the response times. Statistically significant deviations from the fixed 2-second delay indicate valid accounts.
- Use curl or similar tools to send POST requests with different usernames or emails to the endpoint.
- Example command to test an invalid user (expect ~2 seconds response): curl -X POST https://your-apostrophe-instance/api/v1/@apostrophecms/login/reset-request -d '{"username":"invaliduser"}' -H 'Content-Type: application/json' -w '%{time_total}\n' -o /dev/null
- Example command to test a potentially valid user (observe if response time differs significantly): curl -X POST https://your-apostrophe-instance/api/v1/@apostrophecms/login/reset-request -d '{"email":"[email protected]"}' -H 'Content-Type: application/json' -w '%{time_total}\n' -o /dev/null
By comparing the response times of these requests, you can identify timing discrepancies that reveal valid usernames or emails.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade ApostropheCMS to version 4.29.0 or later, where the vulnerability is fixed.
- If upgrading is not immediately possible, disable the password reset feature by setting the passwordReset option to false, as it is disabled by default.
- Implement rate limiting on the password reset endpoint to prevent rapid automated enumeration attempts, since the existing throttle only applies to the login flow.
- Ensure that the password reset endpoint normalizes response times to a constant minimum duration (e.g., 2 seconds) regardless of user existence to prevent timing side-channel leaks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to enumerate valid usernames and email addresses by exploiting timing differences in the password reset endpoint. Such user enumeration can facilitate targeted credential stuffing and phishing attacks, potentially leading to unauthorized access or exposure of personal data.
From a compliance perspective, this vulnerability could impact adherence to standards like GDPR and HIPAA, which require protection of personal data and user privacy. The ability to confirm valid user accounts may increase the risk of data breaches or unauthorized access, thereby undermining the confidentiality and security controls mandated by these regulations.
However, the vulnerability is rated as low severity (CVSS 3.7) and only affects instances with the password reset feature explicitly enabled. Mitigations such as normalizing response times and implementing rate limiting reduce the risk of exploitation.