{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33638", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T14:24:11.619Z", "datePublished": "2026-03-26T20:52:40.464Z", "dateUpdated": "2026-03-26T20:52:40.464Z"}, "containers": {"cna": {"title": "Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-m983-7426-5hrj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-m983-7426-5hrj"}, {"name": "https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681", "tags": ["x_refsource_MISC"], "url": "https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681"}, {"name": "https://github.com/lin-snow/Ech0/releases/tag/v4.2.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/lin-snow/Ech0/releases/tag/v4.2.0"}], "affected": [{"vendor": "lin-snow", "product": "Ech0", "versions": [{"version": "< 4.2.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T20:52:40.464Z"}, "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0."}], "source": {"advisory": "GHSA-m983-7426-5hrj", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0."}], "id": "CVE-2026-33638", "lastModified": "2026-03-26T21:17:07.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T21:17:07.467", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681"}, {"source": "security-advisories@github.com", "url": "https://github.com/lin-snow/Ech0/releases/tag/v4.2.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-m983-7426-5hrj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Ech0", "source": "cna", "vendor": "lin-snow"}, "product": "ech0", "vendor": "lin-snow"}], "analysis": {"en": {"generated_at": "2026-03-26T22:23:58.658058+00:00", "value": {"mitigation_remediation": ["Upgrade Ech0 to version 4.2.0 or later to eliminate the public /api/allusers endpoint", "If upgrading immediately is not possible, restrict access to the /api/allusers route using network ACLs or a web\u2011application firewall", "Verify that authentication mechanisms are correctly applied to all APIs after deployment", "Monitor application logs for repeated enumeration attempts and investigate any abnormal activity"], "summary": {"action": "Apply Patch", "impact": "Remote Unauthenticated User Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is Ech0, an open\u2011source platform provided by lin\u2011snow. Versions older than 4.2.0 are vulnerable; the fix was released with Ech0\u202fv4.2.0.", "description_and_impact": "Ech0 is a self\u2011hosted publishing platform that, before version 4.2.0, exposed a REST endpoint at GET\u202f/api/allusers. This endpoint was publicly accessible and returned a list of user records without requiring any authentication. The exposed data includes user profile metadata. An attacker can therefore enumerate users and retrieve personal information that could be used for phishing, social engineering, or other malicious activities. The underlying weakness aligns with CWE\u2011862, a user identification or authentication failure.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate impact. No EPSS data is published, so the likelihood of exploitation cannot be quantified. According to the information available, the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting that at present there is no evidence of active exploitation. The attack vector is clearly remote, requiring only unauthenticated access to the public endpoint. An attacker can trivially trigger the vulnerability by sending a simple HTTP GET request and obtain the data returned in the response."}}}}, "created": "2026-03-27T08:31:54.999216+00:00", "updated": "2026-03-27T09:23:22.614495+00:00", "vendors": ["lin-snow", "lin-snow$PRODUCT$ech0"]}