Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.
Published: 2026-03-26
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: Remote Unauthenticated User Information Disclosure
Action: Apply Patch
AI Analysis

Impact

Ech0 is a self‑hosted publishing platform that, before version 4.2.0, exposed a REST endpoint at GET /api/allusers. This endpoint was publicly accessible and returned a list of user records without requiring any authentication. The exposed data includes user profile metadata. An attacker can therefore enumerate users and retrieve personal information that could be used for phishing, social engineering, or other malicious activities. The underlying weakness aligns with CWE‑862, a user identification or authentication failure.

Affected Systems

The affected product is Ech0, an open‑source platform provided by lin‑snow. Versions older than 4.2.0 are vulnerable; the fix was released with Ech0 v4.2.0.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate impact. No EPSS data is published, so the likelihood of exploitation cannot be quantified. According to the information available, the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting that at present there is no evidence of active exploitation. The attack vector is clearly remote, requiring only unauthenticated access to the public endpoint. An attacker can trivially trigger the vulnerability by sending a simple HTTP GET request and obtain the data returned in the response.

Generated by OpenCVE AI on March 26, 2026 at 22:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ech0 to version 4.2.0 or later to eliminate the public /api/allusers endpoint
  • If upgrading immediately is not possible, restrict access to the /api/allusers route using network ACLs or a web‑application firewall
  • Verify that authentication mechanisms are correctly applied to all APIs after deployment
  • Monitor application logs for repeated enumeration attempts and investigate any abnormal activity

Generated by OpenCVE AI on March 26, 2026 at 22:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m983-7426-5hrj Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Lin-snow
Lin-snow ech0
Vendors & Products Lin-snow
Lin-snow ech0

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.
Title Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Lin-snow Ech0
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T20:52:40.464Z

Reserved: 2026-03-23T14:24:11.619Z

Link: CVE-2026-33638

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-26T21:17:07.467

Modified: 2026-03-26T21:17:07.467

Link: CVE-2026-33638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:23:22Z

Weaknesses