GHSA-hm2h-wwwh-g49x: Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session

April 10, 2026

The PUT /user endpoint is protected by RequireScopes("profile:read"), which is a read-only scope. However, the endpoint performs write operations including password changes. An attacker who obtains an admin’s restricted profile:read access token can change the admin’s password, then login to receive an unrestricted session token that bypasses all scope enforcement.

References

github.com/advisories/GHSA-hm2h-wwwh-g49x
github.com/lin-snow/Ech0
github.com/lin-snow/Ech0/releases/tag/v4.4.3
github.com/lin-snow/Ech0/security/advisories/GHSA-hm2h-wwwh-g49x

Code Behaviors & Features

Detect and mitigate GHSA-hm2h-wwwh-g49x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →