CVE-2026-33877

Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.29.0

Description A timing side-channel issue exists in the password reset endpoint '/api/v1/@apostrophecms/login/reset-request' that allows unauthenticated users to enumerate valid usernames and email addresses. The system uses a fixed 2-second artificial delay when a user is not found, but when a valid user is identified, it performs MongoDB updates and SMTP email operations without equivalent delay normalization. This creates measurably different response times based on whether the account exists. The endpoint accepts both username and email via an $or query and lacks rate limiting, as the checkLoginAttempts throttle only applies to the login flow. This issue only affects instances where the passwordReset option is explicitly enabled, as it is disabled by default.

Recommendations Update to version 4.29.0. As a temporary workaround, disable the passwordReset option in the @apostrophecms/login configuration to minimize the risk of exploitation.