CVE-2026-33638: Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

March 24, 2026 (updated March 30, 2026)

A public access-control flaw allows unauthenticated users to retrieve the full user list from GET /api/allusers. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration.

References

github.com/advisories/GHSA-m983-7426-5hrj
github.com/lin-snow/Ech0
github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f681
github.com/lin-snow/Ech0/releases/tag/v4.2.0
github.com/lin-snow/Ech0/security/advisories/GHSA-m983-7426-5hrj
nvd.nist.gov/vuln/detail/CVE-2026-33638

Code Behaviors & Features

Detect and mitigate CVE-2026-33638 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →