CVE-2026-33638

MEDIUM5.3EPSS 0.03%

Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Published: 3/24/2026Modified: 3/30/2026

Description

### Summary A public access-control flaw allows unauthenticated users to retrieve the full user list from `GET /api/allusers`. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration. ### Details The vulnerable route is registered as a public endpoint: - `internal/router/user.go:17` - `appRouterGroup.PublicRouterGroup.GET("/allusers", h.UserHandler.GetAllUsers())` However, the handler appears to have been intended as an authenticated endpoint: - `internal/handler/user/user.go:177-185` - API annotations indicate an authentication requirement via `@Security ApiKeyAuth` This creates a mismatch between the documented security model and the actual routing configuration. As a result, requests to `GET /api/allusers` succeed without authentication and return user records, including profile metadata such as usernames, email addresses, role-related flags, avatar values, and locale information. A negative control against another endpoint that correctly requires authentication further supports that this exposure is unintended: `GET /api/user` returns `401 Unauthorized` when no token is supplied, while `GET /api/allusers` remains publicly accessible. ### Impact - **Type:** Access control bypass / unauthenticated data exposure - **Who is impacted:** Any deployment exposing the API to untrusted networks, and all users whose profile metadata is returned by the endpoint - **Security impact:** Enables remote user enumeration and disclosure of user profile metadata, which may facilitate account reconnaissance, phishing, and targeted credential attacks - **Attack preconditions:** None beyond network access to the affected API endpoint

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)