Description
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.
Published: 2026-04-15
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: User Enumeration via Timing Side Channel
Action: Apply Patch
AI Analysis

Impact

The flaw is a timing side‑channel in the password reset endpoint that leaks whether a username or email exists. An unauthenticated caller receives a fixed two‑second delay when a target is absent, but a noticeably faster response when the target is present because a database update and email are performed. This difference allows an attacker to enumerate valid accounts, which aids credential‑stuffing or targeted phishing. The weakness is a classic timing side‑channel vulnerability (CWE‑208).

Affected Systems

The issue affects ApostropheCMS versions 4.28.0 and earlier. It only poses a risk when the passwordReset feature is enabled, which defaults to false. The affected product is the Node.js content‑management system developed by apostrophecms under the name apostrophe.

Risk and Exploitability

The CVSS base score is 3.7, indicating a low‑severity vulnerability. EPSS is not available, making it unclear how frequently it has been exploited, and the item is not listed in CISA's KEV catalog. An attacker would issue unauthenticated HTTP requests to /api/v1/@apostrophecms/login/reset-request, observe response times, and map valid usernames or email addresses. The lack of rate limiting allows automated scripts to conduct enumeration quickly. Without additional controls, enumerated accounts can be used in credential stuffing or social‑engineering attacks.

Generated by OpenCVE AI on April 15, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the application to version 4.29.0 or later, which removes the timing discrepancy.
  • If an upgrade is not possible, disable the passwordReset capability by setting the option to false.
  • Implement application‑level rate limiting or enforce a uniform response delay for the reset endpoint to obfuscate timing differences.

Generated by OpenCVE AI on April 15, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mj7r-x3h3-7rmr ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
History

Thu, 16 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Apostrophecms
Apostrophecms apostrophecms
Vendors & Products Apostrophecms
Apostrophecms apostrophecms

Wed, 15 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Description ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.
Title ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Apostrophecms Apostrophecms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T19:30:53.040Z

Reserved: 2026-03-24T15:10:05.680Z

Link: CVE-2026-33877

cve-icon Vulnrichment

Updated: 2026-04-15T19:30:33.569Z

cve-icon NVD

Status : Received

Published: 2026-04-15T20:16:35.517

Modified: 2026-04-15T20:16:35.517

Link: CVE-2026-33877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:00:05Z

Weaknesses