CVE-2026-33638: CWE-862: Missing Authorization in lin-snow Ech0
CVE-2026-33638 is a medium severity vulnerability in lin-snow Ech0 versions prior to 4. 2. 0. The issue is a missing authorization check on the GET /api/allusers endpoint, which is publicly accessible and returns user profile metadata without requiring authentication. This allows unauthenticated remote attackers to enumerate users and access their profile information. A fix addressing this issue is available in version 4. 2. 0.
AI Analysis
Technical Summary
Ech0, an open-source self-hosted publishing platform, had a missing authorization vulnerability (CWE-862) in versions before 4.2.0. The GET /api/allusers endpoint was exposed publicly without authentication, enabling remote unauthenticated user enumeration and disclosure of user profile metadata. This vulnerability has a CVSS 3.1 base score of 5.3, indicating medium severity. The vendor fixed the issue in Ech0 version 4.2.0 by restricting access to this endpoint.
Potential Impact
The vulnerability allows remote unauthenticated attackers to enumerate all users and obtain user profile metadata from the Ech0 platform. This exposure of user information could facilitate further targeted attacks or privacy violations. There is no indication of impact on data integrity or availability.
Mitigation Recommendations
Upgrade Ech0 to version 4.2.0 or later, where the GET /api/allusers endpoint is properly secured with authorization checks. This official fix eliminates the unauthorized user enumeration risk.
CVE-2026-33638: CWE-862: Missing Authorization in lin-snow Ech0
Description
CVE-2026-33638 is a medium severity vulnerability in lin-snow Ech0 versions prior to 4. 2. 0. The issue is a missing authorization check on the GET /api/allusers endpoint, which is publicly accessible and returns user profile metadata without requiring authentication. This allows unauthenticated remote attackers to enumerate users and access their profile information. A fix addressing this issue is available in version 4. 2. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Ech0, an open-source self-hosted publishing platform, had a missing authorization vulnerability (CWE-862) in versions before 4.2.0. The GET /api/allusers endpoint was exposed publicly without authentication, enabling remote unauthenticated user enumeration and disclosure of user profile metadata. This vulnerability has a CVSS 3.1 base score of 5.3, indicating medium severity. The vendor fixed the issue in Ech0 version 4.2.0 by restricting access to this endpoint.
Potential Impact
The vulnerability allows remote unauthenticated attackers to enumerate all users and obtain user profile metadata from the Ech0 platform. This exposure of user information could facilitate further targeted attacks or privacy violations. There is no indication of impact on data integrity or availability.
Mitigation Recommendations
Upgrade Ech0 to version 4.2.0 or later, where the GET /api/allusers endpoint is properly secured with authorization checks. This official fix eliminates the unauthorized user enumeration risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-23T14:24:11.619Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c5a1c53c064ed76fce0c41
Added to database: 3/26/2026, 9:14:45 PM
Last enriched: 4/3/2026, 1:29:59 PM
Last updated: 5/10/2026, 2:11:23 PM
Views: 52
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.