GHSA-M983-7426-5HRJ
Vulnerability from github – Published: 2026-03-24 22:25 – Updated: 2026-03-30 20:27
VLAI?
Summary
Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint
Details
Summary
A public access-control flaw allows unauthenticated users to retrieve the full user list from GET /api/allusers. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration.
Details
The vulnerable route is registered as a public endpoint:
internal/router/user.go:17appRouterGroup.PublicRouterGroup.GET("/allusers", h.UserHandler.GetAllUsers())
However, the handler appears to have been intended as an authenticated endpoint:
internal/handler/user/user.go:177-185- API annotations indicate an authentication requirement via
@Security ApiKeyAuth
This creates a mismatch between the documented security model and the actual routing configuration. As a result, requests to GET /api/allusers succeed without authentication and return user records, including profile metadata such as usernames, email addresses, role-related flags, avatar values, and locale information.
A negative control against another endpoint that correctly requires authentication further supports that this exposure is unintended: GET /api/user returns 401 Unauthorized when no token is supplied, while GET /api/allusers remains publicly accessible.
Impact
- Type: Access control bypass / unauthenticated data exposure
- Who is impacted: Any deployment exposing the API to untrusted networks, and all users whose profile metadata is returned by the endpoint
- Security impact: Enables remote user enumeration and disclosure of user profile metadata, which may facilitate account reconnaissance, phishing, and targeted credential attacks
- Attack preconditions: None beyond network access to the affected API endpoint
Severity ?
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/lin-snow/ech0"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.4.8-0.20260322121226-acbf1fd71011"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33638"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T22:25:03Z",
"nvd_published_at": "2026-03-26T21:17:07Z",
"severity": "MODERATE"
},
"details": "### Summary\nA public access-control flaw allows unauthenticated users to retrieve the full user list from `GET /api/allusers`. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration.\n\n### Details\nThe vulnerable route is registered as a public endpoint:\n\n- `internal/router/user.go:17`\n - `appRouterGroup.PublicRouterGroup.GET(\"/allusers\", h.UserHandler.GetAllUsers())`\n\nHowever, the handler appears to have been intended as an authenticated endpoint:\n\n- `internal/handler/user/user.go:177-185`\n - API annotations indicate an authentication requirement via `@Security ApiKeyAuth`\n\nThis creates a mismatch between the documented security model and the actual routing configuration. As a result, requests to `GET /api/allusers` succeed without authentication and return user records, including profile metadata such as usernames, email addresses, role-related flags, avatar values, and locale information.\n\nA negative control against another endpoint that correctly requires authentication further supports that this exposure is unintended: `GET /api/user` returns `401 Unauthorized` when no token is supplied, while `GET /api/allusers` remains publicly accessible.\n\n### Impact\n- **Type:** Access control bypass / unauthenticated data exposure\n- **Who is impacted:** Any deployment exposing the API to untrusted networks, and all users whose profile metadata is returned by the endpoint\n- **Security impact:** Enables remote user enumeration and disclosure of user profile metadata, which may facilitate account reconnaissance, phishing, and targeted credential attacks\n- **Attack preconditions:** None beyond network access to the affected API endpoint",
"id": "GHSA-m983-7426-5hrj",
"modified": "2026-03-30T20:27:17Z",
"published": "2026-03-24T22:25:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-m983-7426-5hrj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33638"
},
{
"type": "WEB",
"url": "https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681"
},
{
"type": "PACKAGE",
"url": "https://github.com/lin-snow/Ech0"
},
{
"type": "WEB",
"url": "https://github.com/lin-snow/Ech0/releases/tag/v4.2.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint "
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…