CVE-2026-33981
Environment Variable Disclosure via jq Filter in changedetection.io
Publication date: 2026-03-27
Last updated on: 2026-04-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webtechnologies | changedetection | to 0.54.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in changedetection.io versions prior to 0.54.7, where the `jq:` and `jqraw:` include filter expressions allow the use of the jq `env` builtin. This builtin reads all process environment variables and stores them as part of the watch snapshot.
Because of this, an authenticated userβor even an unauthenticated user if no password is set (which is the default)βcan access and leak sensitive environment variables. These variables may include secrets such as `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any other secrets passed as environment variables to the container.
The issue was fixed in version 0.54.7.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive environment variables and secrets to unauthorized users.
If exploited, attackers could gain access to confidential information such as passwords, URLs, proxy settings, and other secrets used by the application or container.
Such exposure can compromise the security of the system, potentially allowing further attacks, unauthorized access, or data breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade changedetection.io to version 0.54.7 or later, where the issue has been patched.
Additionally, ensure that a password is set to prevent unauthenticated users from accessing the service, as the default configuration allows unauthenticated access which can lead to sensitive environment variable leakage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated or unauthenticated user (if no password is set) to leak sensitive environment variables, including secrets and credentials. This exposure of sensitive data could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require the protection of sensitive information and proper access controls.
Specifically, leaking environment variables that contain secrets may violate confidentiality requirements and increase the risk of unauthorized data access, which is contrary to the principles of these regulations.