Skip to main content

CVE-2026-33323

| EUVDEUVD-2026-14189 MEDIUM
Observable Response Discrepancy (CWE-204)
6.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 19, 2026 - 19:00 euvd
EUVD-2026-14189
Analysis Generated
Mar 19, 2026 - 19:00 vuln.today
Patch released
Mar 19, 2026 - 19:00 nvd
Patch available
CVE Published
Mar 19, 2026 - 18:21 nvd
MEDIUM 6.3

DescriptionGitHub Advisory

Impact

The Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route against this, did not apply to these routes.

Patches

The email verification resend routes now respect the emailVerifySuccessOnInvalidEmail option. When set to true (the default), both routes redirect to the success page regardless of the outcome, preventing user enumeration.

Workarounds

There is no known workaround to prevent the information disclosure other than upgrading.

AnalysisAI

Email verification resend endpoints in the Pages and legacy PublicAPI routes leak information about valid usernames through distinguishable responses, enabling unauthenticated attackers to enumerate active accounts. The default emailVerifySuccessOnInvalidEmail configuration option, which mitigates this issue, was not applied to these specific routes. A patch is available that extends the protection to both routes.

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls.

RemediationAI

A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

Share

CVE-2026-33323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy