CVE-2026-33877: ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the passwo...

Description

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.

Metrics

CVSS 3.1

3.7/10

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability

0.36%

28.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-208

Affected Software

Vendor	Product	Versions
Apostrophecms	Apostrophecms	< 4.29.0

References

https://github.com/apostrophecms/apostrophe/commit/e266cffd8c0d331a9b05c92bf11616556efcdc77Patch
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7rmrExploit, Mitigation, Vendor Advisory
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7rmrExploit, Mitigation, Vendor Advisory

Timeline

Published: Apr 15, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-33877?

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.

How severe is CVE-2026-33877?

CVE-2026-33877 has a CVSS score of 3.7/10 (LOW severity). The EPSS model estimates a 0.36% probability of exploitation in the next 30 days.

How do I fix CVE-2026-33877?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.