CVE-2026-33877 — LOW (3.7) — White Hats Nepal

Q: How severe is CVE-2026-33877?

CVE-2026-33877 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2026-33877?

Check the references section above for vendor advisories and patch information. Affected products include: Apostrophecms Apostrophecms.

Vulnerability Description

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/reset-request) that allows unauthenticated username and email enumeration. When a user is not found, the handler returns after a fixed 2-second artificial delay, but when a valid user is found, it performs a MongoDB update and SMTP email send with no equivalent delay normalization, producing measurably different response times. The endpoint also accepts both username and email via an $or query, and has no rate limiting as the existing checkLoginAttempts throttle only applies to the login flow. This enables automated enumeration of valid accounts for use in credential stuffing or targeted phishing. Only instances that have explicitly enabled the passwordReset option are affected, as it defaults to false. This issue has been fixed in version 4.29.0.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apostrophecms	Apostrophecms	< 4.29.0

Related Weaknesses (CWE)

CWE-208

References

https://github.com/apostrophecms/apostrophe/commit/e266cffd8c0d331a9b05c92bf1161Patch
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7ExploitMitigationVendor Advisory
https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-mj7r-x3h3-7ExploitMitigationVendor Advisory

FAQ

What is CVE-2026-33877?

CVE-2026-33877 is a vulnerability with a CVSS score of 3.7 (LOW). ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a timing side-channel vulnerability in the password reset endpoint (/api/v1/@apostrophecms/login/re...

How severe is CVE-2026-33877?

CVE-2026-33877 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-33877?

Check the references section above for vendor advisories and patch information. Affected products include: Apostrophecms Apostrophecms.