Timing Side-Channel Vulnerability in ApostropheCMS by Apostrophe
CVE-2026-33877

3.7LOW

Key Information:

Vendor: Apostrophecms
Status: Apostrophe
Vendor: CVE Published:; 15 April 2026

🔔 Create Apostrophecms Vulnerability Alert

What is CVE-2026-33877?

ApostropheCMS, an open-source Node.js content management system, has a vulnerability in the password reset endpoint that permits unauthenticated enumeration of usernames and emails. This flaw arises because an artificial delay of two seconds is introduced when a user is not found, while valid users are processed without such delay, leading to significant differences in response times. The lack of rate limiting allows attackers to exploit this vulnerability for automated enumeration, potentially aiding in credential stuffing and phishing attacks. Only installations where the passwordReset option is explicitly enabled are susceptible, while the default setting is disabled. Users should upgrade to version 4.29.0 to mitigate this risk.

Affected Version(s)

apostrophe < 4.29.0

References

https://github.com/apostrophecms/apostrophe/security/advi...

x_refsource_CONFIRM

https://github.com/apostrophecms/apostrophe/commit/e266cf...

x_refsource_MISC

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 15, 2026
Vulnerability Reserved
Mar 24, 2026

CVE-2026-33877 Data

JSON