Description

Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to version 4.2.0, `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. A fix is available in v4.2.0.

INFO

Published Date :

2026-03-26T20:52:40.464Z

Last Modified :

2026-03-27T20:19:07.459Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33638 vulnerability.

Vendors Products
Lin-snow
  • Ech0
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33638.

URL Resource
https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681 cve-icon cve-icon
https://github.com/lin-snow/Ech0/releases/tag/v4.2.0 cve-icon cve-icon
https://github.com/lin-snow/Ech0/security/advisories/GHSA-m983-7426-5hrj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact