CVE-2018-19133
Description
In Flarum Core 0.1.0-beta.7.1, a serious leak can get everyone's email address.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Flarum Core 0.1.0-beta.7.1, the API endpoint for updating users leaks email addresses of all users to any authenticated attacker.
Vulnerability
In Flarum Core version 0.1.0-beta.7.1, the UpdateUserController API endpoint always used CurrentUserSerializer to serialize user data, even when an authenticated user updated another user's profile. This serializer includes the email address field, which should only be visible to the user themselves. The vulnerability is present in the /api/users/{id} endpoint when a PATCH request is made with user update data. Affected versions: Flarum Core 0.1.0-beta.7.1 and possibly earlier beta releases. [1] [2]
Exploitation
An attacker needs an authenticated account on the forum. No special privileges are required. The attacker sends a PATCH request to /api/users/{id} for any target user ID (e.g., 1, 2, etc.), including valid update data (such as an empty or dummy attribute). The server responds with the full user object serialized by CurrentUserSerializer, which includes the email field. This can be repeated for every user to harvest all email addresses. [2]
Impact
An attacker can obtain the email addresses of all users on the Flarum forum. This is a confidentiality breach of private user information, potentially enabling targeted phishing, spam, or other privacy violations. No other data (passwords, tokens) is exposed. The attacker remains at their authenticated user privilege level. [2] [3]
Mitigation
The vulnerability was fixed in commit e99f7fcdace74211bec5627e6adf20ddf7dad2a7 [3], where the serializer is conditionally set: CurrentUserSerializer is used only when the authenticated actor is the user being updated; otherwise, UserSerializer (which omits the email field) is used. Upgrading to a version containing this commit (e.g., Flarum Core 0.1.0-beta.8 or later) resolves the issue. No workaround is available. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
flarum/frameworkPackagist | <= 0.1.0-beta.7.1 | — |
Affected products
2Patches
1e99f7fcdace7Fix leak of private information when updating users
1 file changed · +6 −1
src/Api/Controller/UpdateUserController.php+6 −1 modified@@ -12,6 +12,7 @@ namespace Flarum\Api\Controller; use Flarum\Api\Serializer\CurrentUserSerializer; +use Flarum\Api\Serializer\UserSerializer; use Flarum\User\Command\EditUser; use Flarum\User\Exception\PermissionDeniedException; use Illuminate\Contracts\Bus\Dispatcher; @@ -23,7 +24,7 @@ class UpdateUserController extends AbstractShowController /** * {@inheritdoc} */ - public $serializer = CurrentUserSerializer::class; + public $serializer = UserSerializer::class; /** * {@inheritdoc} @@ -52,6 +53,10 @@ protected function data(ServerRequestInterface $request, Document $document) $actor = $request->getAttribute('actor'); $data = array_get($request->getParsedBody(), 'data', []); + if ($actor->id == $id) { + $this->serializer = CurrentUserSerializer::class; + } + // Require the user's current password if they are attempting to change // their own email address. if (isset($data['attributes']['email']) && $actor->id == $id) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-p6m5-x83r-hqmrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19133ghsaADVISORY
- github.com/flarum/core/issues/1628ghsax_refsource_MISCWEB
- github.com/flarum/framework/commit/e99f7fcdace74211bec5627e6adf20ddf7dad2a7ghsaWEB
News mentions
0No linked articles in our index yet.