CVE-2026-35036
Received Received - Intake
SSRF in Ech0 Link Preview API Allows Server-Side Requests

Publication date: 2026-04-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated, accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35036
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ech0 ech0 to 4.2.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to perform unauthenticated Server-Side Request Forgery (SSRF) to access internal or restricted network resources from the server’s perspective, potentially leading to unauthorized data access.

This unauthorized data access could result in data leakage from internal services, which may include sensitive or personal information.

Such data leakage risks could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.

Additionally, the vulnerability’s TLS verification bypass increases the risk of man-in-the-middle attacks on internal HTTPS services, further compromising data confidentiality.

Executive Summary

CVE-2026-35036 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Ech0 open-source publishing platform, affecting all versions prior to 4.2.8.

The vulnerability exists in the unauthenticated GET endpoint /api/website/title, which accepts a fully attacker-controlled URL parameter. The server performs an outbound HTTP(S) GET request to fetch the page title by reading the entire response body into memory without any size limits.

Key issues include no authentication, no host allowlist or SSRF filtering, insecure HTTP client configuration that disables TLS certificate verification (InsecureSkipVerify: true), and automatic following of redirects. This allows attackers to make the server request arbitrary URLs, including internal network addresses, potentially accessing sensitive internal services.

The vulnerability can be exploited to leak internal data, access metadata services, and cause denial of service by forcing the server to read large responses.

Impact Analysis

This vulnerability can have several impacts:

  • Attackers can perform SSRF to access internal or restricted network resources from the server’s perspective.
  • Potential unauthorized data leakage from internal services, including sensitive metadata endpoints.
  • Possible Denial of Service (DoS) by forcing the server to read very large HTTP responses into memory.
  • TLS verification bypass increases the risk of man-in-the-middle attacks on internal HTTPS services.
Detection Guidance

This vulnerability can be detected by testing the unauthenticated GET endpoint /api/website/title on the Ech0 server to see if it accepts arbitrary URLs and fetches their content.

A simple detection method is to send a request to the endpoint with a controlled URL parameter and observe if the server returns the page title from that URL.

Example command using curl to test the vulnerability:

  • curl -G 'http://<ech0-server>/api/website/title' --data-urlencode 'website_url=http://example.com'

If the server responds with the title of the example.com page, it indicates the vulnerability is present.

Further detection can include testing access to internal or localhost URLs (e.g., http://169.254.169.254 or http://localhost) to check for SSRF exploitation.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade Ech0 to version 4.2.8 or later where this vulnerability is fixed.
  • If upgrading is not immediately possible, restrict network access to the Ech0 instance to trusted users only.
  • Implement network-level egress restrictions to prevent the Ech0 server from making arbitrary outbound HTTP/HTTPS requests.
  • Apply firewall rules or host allowlists to block requests to internal, link-local, metadata, and loopback addresses.
  • Disable or limit HTTP redirect following in the application if possible.
  • Remove or disable the InsecureSkipVerify setting to enforce proper TLS certificate validation.
  • Implement response size and timeout limits on outbound requests to mitigate potential Denial of Service attacks.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35036. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart