CVE-2026-33981
Received Received - Intake
Environment Variable Disclosure via jq Filter in changedetection.io

Publication date: 2026-03-27

Last updated on: 2026-04-02

Assigner: GitHub, Inc.

Description
changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any secrets passed as env vars to the container. Version 0.54.7 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-02
Generated
2026-06-16
AI Q&A
2026-03-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33981
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
webtechnologies changedetection to 0.54.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in changedetection.io versions prior to 0.54.7, where the `jq:` and `jqraw:` include filter expressions allow the use of the jq `env` builtin. This builtin reads all process environment variables and stores them as part of the watch snapshot.

Because of this, an authenticated userβ€”or even an unauthenticated user if no password is set (which is the default)β€”can access and leak sensitive environment variables. These variables may include secrets such as `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any other secrets passed as environment variables to the container.

The issue was fixed in version 0.54.7.

Impact Analysis

This vulnerability can lead to the exposure of sensitive environment variables and secrets to unauthorized users.

If exploited, attackers could gain access to confidential information such as passwords, URLs, proxy settings, and other secrets used by the application or container.

Such exposure can compromise the security of the system, potentially allowing further attacks, unauthorized access, or data breaches.

Mitigation Strategies

To mitigate this vulnerability, upgrade changedetection.io to version 0.54.7 or later, where the issue has been patched.

Additionally, ensure that a password is set to prevent unauthenticated users from accessing the service, as the default configuration allows unauthenticated access which can lead to sensitive environment variable leakage.

Compliance Impact

The vulnerability allows an authenticated or unauthenticated user (if no password is set) to leak sensitive environment variables, including secrets and credentials. This exposure of sensitive data could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require the protection of sensitive information and proper access controls.

Specifically, leaking environment variables that contain secrets may violate confidentiality requirements and increase the risk of unauthorized data access, which is contrary to the principles of these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33981. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart