Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata

The SSRF vulnerability in ech0 poses a significant risk because it allows attackers to bypass security controls and interact with internal systems. An attacker could leverage this to access sensitive data exposed on internal network services, such as databases or configuration files. Furthermore, the ability to target cloud metadata endpoints (e.g., 169.254.169.254) could reveal credentials or other sensitive information stored in cloud environments. The partial response data exfiltrated via the HTML <title> tag extraction makes it possible to gather information incrementally, potentially evading detection. This vulnerability shares similarities with other SSRF exploits where attackers use the server as a proxy to access resources it shouldn't.

Organizations deploying ech0 in environments with internal services or cloud infrastructure are at risk. Specifically, deployments that expose internal services via the internet or use cloud metadata endpoints for configuration are particularly vulnerable. Shared hosting environments where multiple users share the same ech0 instance are also at increased risk, as a compromised user could potentially exploit the vulnerability to access other users' data.

• linux / server: Use journalctl to filter for requests to the /api/website/title endpoint with unusual websiteurl parameters. Example: journalctl | grep '/api/website/title' | grep 'websiteurl=' • generic web: Use curl to test the /api/website/title endpoint with various URLs, including internal IP addresses and cloud metadata endpoints. Example: curl 'http://your-ech0-instance/api/website/title?website_url=http://169.254.169.254' • generic web: Examine access and error logs for requests to /api/website/title with suspicious or unexpected URLs. Look for patterns indicating attempts to access internal resources.

1. 2026-04-03Disclosure

   disclosure

1. Reserviert2026-03-31
2. Veröffentlicht2026-04-03
3. Geändert2026-04-06
4. EPSS aktualisiert2026-04-14

The primary mitigation for CVE-2026-35037 is to immediately upgrade to version 1.4.8-0.20260401031029-4ca56fea5ba4 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter incoming requests and block those containing suspicious URLs in the websiteurl parameter. Specifically, block requests to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and cloud metadata endpoints. Additionally, implement strict input validation on the websiteurl parameter to ensure it adheres to an expected format and only allows trusted domains. After upgrading, confirm the fix by attempting to access the /api/website/title endpoint with a known malicious URL and verifying that the request is blocked or handled securely.