Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated user enumeration exposing personal data
Action: Immediate Patch
AI Analysis

Impact

An unauthenticated GET request to the public /api/allusers endpoint returns full user records, exposing personal profile details such as usernames and metadata; the flaw is a missing authentication check (CWE-862) that allows remote users to enumerate accounts without credentials, potentially enabling social engineering or identity theft but does not provide code execution or data modification rights.

Affected Systems

The Ech0 open‑source publishing platform, versions prior to v4.2.0, is affected; the vulnerable product is Ech0, hosted by lin‑snow, and any deployment running an unpatched instance of Ech0 before the v4.2.0 release can be impacted.

Risk and Exploitability

The vulnerability has a CVSS base score of 5.3 indicating moderate severity; the EPSS score is below 1% suggesting low likelihood of exploitation, and it is not present in the CISA KEV catalog; the attack vector is remote over HTTP/HTTPS, requiring no local privileges, and exploitation yields exposure of all user records but no alteration or code execution capabilities.

Generated by OpenCVE AI on April 1, 2026 at 06:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Ech0 update to v4.2.0 or later
  • Restrict GET /api/allusers to authenticated users if patch cannot be applied
  • Verify deployed version and audit configuration
  • Monitor access logs for enumeration patterns

Generated by OpenCVE AI on April 1, 2026 at 06:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m983-7426-5hrj Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Ech0
Ech0 ech0
CPEs cpe:2.3:a:ech0:ech0:*:*:*:*:*:*:*:*
Vendors & Products Ech0
Ech0 ech0

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lin-snow
Lin-snow ech0
Vendors & Products Lin-snow
Lin-snow ech0

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.
Title Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Ech0 Ech0
Lin-snow Ech0
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T20:19:07.459Z

Reserved: 2026-03-23T14:24:11.619Z

Link: CVE-2026-33638

cve-icon Vulnrichment

Updated: 2026-03-27T20:18:44.481Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T21:17:07.467

Modified: 2026-03-31T21:09:16.307

Link: CVE-2026-33638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:56:19Z

Weaknesses