CVE-2026-33981

Name of the Vulnerable Software and Affected Versions changedetection.io versions prior to 0.54.7

Description The jq: and jqraw: include filter expressions in changedetection.io allow the use of the jq env builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user, or an unauthenticated user when no password is set, can leak sensitive environment variables including SALTED PASS, PLAYWRIGHT DRIVER URL, HTTP PROXY, and any secrets passed as environment variables to the container. The vulnerability resides in the html tools.py file, specifically lines 380-388, where user-supplied jq filter expressions are compiled and executed without restricting dangerous jq builtins. The form validator only checks that the expression compiles, failing to block dangerous functions like env. This allows an attacker to create a watch for any JSON endpoint using jqraw:env as the include filter, which then exposes all environment variables in the processed text file. This can lead to secret exposure, infrastructure credential theft, and potential cascading access to other internal systems.

Recommendations Update to changedetection.io version 0.54.7 or later.