CVE-2026-33638 MEDIUM

CVE-2026-33638: Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Vendor Lin-Snow
Product Ech0
Weakness CWE-862 · Missing authorization
Published March 26, 2026
Last update March 27, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.

Key dates

02Disclosure timeline

March 26, 2026 CVE published
March 27, 2026 Record updated