ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
- Severity:
- Low
Description
The password reset endpoint (/api/v1/@apostrophecms/login/reset-request) exhibits a measurable timing side channel that allows unauthenticated attackers to enumerate valid usernames and email addresses.
Recommendation
Update the apostrophe package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.29.0
- Patched version(s): 4.29.0
References
Related Issues
- Parse Server vulnerable to user enumeration via email verification endpoint - CVE-2026-31901
- Parse Server has a login timing side-channel reveals user existence - CVE-2026-39321
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views - @strapi/plugin-content-manager - CVE-2023-36472
- ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware - CVE-2026-32730
You might also like:
- Tags:
- npm
- apostrophe
Anything's wrong? Let us know Last updated on April 16, 2026