CVE-2026-33877 — Observable Timing Discrepancy in Apostrophe

CWE-208 — Observable Timing Discrepancy4 documents4 sources

Severity

3.7LOWNVD

EPSS

0.0%

top 91.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apostrophecms Apostrophe

Timeline

PublishedApr 15

Latest updateApr 16

Description

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurabl…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5apostrophecms/apostrophe< 4.29.0

▶npmapostrophecms/apostrophe< 4.29.0

🔴Vulnerability Details

VulDB

apostrophecms apostrophe up to 4.28.x Endpoint reset-request timing discrepancy (GHSA-mj7r-x3h3-7rmr)↗2026-04-16

▶

GHSA

ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint↗2026-04-16

▶

CVEList

ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint↗2026-04-15

▶