CVE-2026-35037
Received Received - Intake
Server-Side Request Forgery in Ech0 API Allows Internal Access

Publication date: 2026-04-06

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction This vulnerability is fixed in 4.2.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35037
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ech0 ech0 to 4.2.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows unauthenticated attackers to perform Server-Side Request Forgery (SSRF) attacks that can access internal network services and cloud metadata endpoints, potentially leading to theft of cloud credentials and sensitive instance metadata.

Such unauthorized access and data exfiltration could result in exposure of sensitive personal or organizational data, which may violate data protection regulations like GDPR or HIPAA that require safeguarding of confidential information.

By enabling attackers to bypass network controls and extract sensitive information without authentication, this vulnerability increases the risk of non-compliance with standards mandating strict access controls and data confidentiality.

Executive Summary

CVE-2026-35037 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the Ech0 open-source publishing platform versions prior to 4.2.8. The vulnerability exists in the GET /api/website/title endpoint, which accepts a user-supplied URL via the website_url query parameter and makes a server-side HTTP request to that URL without any validation or authentication.

Because the endpoint does not validate the target host or IP address, an attacker can make the server send requests to internal network services, localhost services, or cloud metadata endpoints such as 169.254.169.254. The server then extracts the HTML <title> tag from the response and returns it, allowing partial data exfiltration.

This means an attacker can use the vulnerable server as a proxy to access internal resources and exfiltrate sensitive information without any authentication.

Impact Analysis

This vulnerability can have several serious impacts:

  • Theft of cloud credentials and sensitive instance metadata by accessing cloud metadata endpoints.
  • Internal network reconnaissance and discovery of services running on localhost or private IP ranges.
  • Unauthorized access to internal or localhost-bound services such as Redis or admin panels.
  • Bypassing firewall and network access controls by using the vulnerable server as a proxy.
  • Data leakage through exfiltration of partial response data embedded in HTML <title> tags.

Since the endpoint requires no authentication, any attacker with network access to the Ech0 instance can exploit this vulnerability.

Detection Guidance

This vulnerability can be detected by testing the vulnerable endpoint /api/website/title with crafted URLs to see if the server makes HTTP requests to internal or cloud metadata services and returns data in the <title> tag.

Example commands to detect the vulnerability include using curl to send requests to the endpoint with URLs targeting internal services or cloud metadata endpoints, such as AWS IMDS (169.254.169.254) or localhost services.

  • curl 'http://<ech0-server>/api/website/title?website_url=http://169.254.169.254/latest/meta-data/'
  • curl 'http://<ech0-server>/api/website/title?website_url=http://127.0.0.1:6379/'
  • curl 'http://<ech0-server>/api/website/title?website_url=http://internal-admin-panel.local/'

A controlled external HTTP server can also be used to confirm SSRF by returning a known <title> string and verifying if it is reflected in the API response.

Mitigation Strategies

Immediate mitigation steps include upgrading Ech0 to version 4.2.8 or later where this vulnerability is fixed.

If upgrading is not immediately possible, consider implementing the following temporary mitigations:

  • Restrict access to the /api/website/title endpoint by adding authentication or network-level access controls.
  • Implement strict URL validation to allow only http and https schemes and block requests to private, reserved, and link-local IP ranges such as 127.0.0.0/8, 10.0.0.0/8, and 169.254.0.0/16.
  • Disable or restrict automatic HTTP redirect following to prevent DNS rebinding attacks.
  • Remove or disable the InsecureSkipVerify setting to enforce TLS certificate verification.
  • Add rate limiting to the vulnerable endpoint to reduce abuse potential.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35037. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart