CVE-2026-29065
Zip Slip Vulnerability in changedetection.io Backup Restore Allows File Overwrite
Publication date: 2026-03-06
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webtechnologies | changedetection | to 0.54.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-29065 is a critical Zip Slip vulnerability in the backup restore functionality of the changedetection.io application (versions prior to 0.54.4). The vulnerability occurs because the application uses Python's zipfile.extractall() method without validating file paths inside uploaded ZIP archives. This allows an attacker to craft ZIP files containing path traversal sequences (like ../) that escape the intended extraction directory and overwrite arbitrary files on the server."}, {'type': 'paragraph', 'content': 'An attacker can upload a malicious ZIP archive via the backup restore endpoint containing files with paths designed to overwrite sensitive files outside the extraction directory. This can lead to overwriting critical files such as the Flask secret key, application settings, or watch configurations, enabling session forgery, authentication bypass, backdoor injection, and full compromise of the application configuration.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Overwriting the Flask secret key file, which can enable attackers to forge sessions and bypass authentication.
- Modifying application configuration files to disable passwords or inject backdoors.
- Injecting malicious watch configurations that could alter the behavior of the application.
- Overall, it can lead to full compromise of the application by allowing arbitrary file overwrite on the server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring the backup restore process for suspicious ZIP files containing path traversal sequences such as '../' in their file paths. Specifically, checking the extraction directory for files that have been written outside the intended directory (e.g., files like '../secret.txt' or '../changedetection.json') can indicate exploitation attempts."}, {'type': 'paragraph', 'content': 'You can verify if malicious ZIP archives have been uploaded by inspecting the backup restore endpoint usage and examining the contents of the extraction directory for unexpected files outside the normal scope.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': 'Check for suspicious files outside the expected extraction directory (assuming /datastore/ is the extraction path):'}, {'type': 'list_item', 'content': 'find /datastore/ -name "*" -exec sh -c \'case "$1" in *../*) echo "Suspicious path traversal file: $1" ;; esac\' sh {} \\;'}, {'type': 'list_item', 'content': 'Manually inspect the contents of the extraction directory for files like secret.txt, changedetection.json, or watch.json that appear outside their expected locations.'}, {'type': 'list_item', 'content': 'Monitor HTTP requests to the backup restore endpoint (/backups/restore) for uploads of ZIP files with unusual sizes or names.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade changedetection.io to version 0.54.4 or later, where the vulnerability has been patched.
The patch includes validation of ZIP file extraction paths to prevent path traversal, rejecting ZIP files that attempt to write outside the intended directory.
Additional mitigations in the patch include:
- Rejecting ZIP files that exceed configured maximum decompressed size to prevent zip bomb attacks.
- Limiting the maximum upload size of backup ZIP files.
- Excluding sensitive files like secret.txt from backups to avoid secret leakage.
- Validating directory names during restore to only accept UUID v4 formatted directories.
If upgrading immediately is not possible, restrict access to the backup restore endpoint to trusted users only and monitor for suspicious uploads.