Authenticated account enumeration in sharing dialog

May 17, 2021

  • Risk: low
  • CVSS v3 Base Score: 5.4
  • CVSS v3 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N
  • CWE ID: CWE-200
  • CWE Name: Exposure of Sensitive Information to an Unauthorized Actor
  • CVE: CVE-2021-29659


The sharing dialog implements a user enumeration mitigation to prevent an authenticated user from getting
a list of all accounts registered on the instance via the auto-complete dropdown. In the default configuration at least
3 characters of the name or email of the share-receiver (“Sharee”) must match an existing account to trigger the autocomplete.

Due to a bug in the related api endpoint the attacker can enumerate all users in a single request by entering three

Secondary the retrieval of all users on a large instance could cause higher than average load on the instance.


  • core 10.6

Action taken

The enumeration mitigation is now properly enforced.


Thanks to Max van der Linden & Justin Aarden from Secura in assignment of SURF.