CVE-2026-33638

Name of the Vulnerable Software and Affected Versions Ech0 versions prior to 4.2.0

Description The GET /api/allusers API endpoint is publicly accessible, allowing remote unauthenticated user enumeration and exposure of user profile metadata. The route is registered under public routes in internal/router/user.go:17 and is called using appRouterGroup.PublicRouterGroup.GET("/allusers", h.UserHandler.GetAllUsers()). Despite API documentation indicating an authentication requirement (@Security ApiKeyAuth), the endpoint does not enforce it. This allows unauthorized access to user data, potentially enabling account reconnaissance and targeted credential attacks.

Recommendations Update Ech0 to version 4.2.0 or later.