Plataforma
nodejs
Componente
ech0
Corregido en
4.2.9
CVE-2026-35036 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Ech0, an open-source publishing platform. This flaw allows an attacker to force the Ech0 server to make requests to arbitrary HTTP/HTTPS URLs, potentially exposing internal resources or sensitive data. The vulnerability affects versions prior to 4.2.8 and has been resolved with the release of version 4.2.8. A patch is available and recommended.
The SSRF vulnerability in Ech0 allows an attacker to leverage the platform's link preview functionality for malicious purposes. Because the /api/website/title endpoint is unauthenticated and accepts a fully attacker-controlled URL without proper validation, an attacker can craft a request to fetch content from internal services or external resources. This could lead to data exfiltration, reconnaissance of the internal network, and potentially even access to sensitive information stored behind firewalls. The InsecureSkipVerify: true setting on the outbound client further exacerbates the risk by bypassing SSL certificate verification, allowing connections to untrusted hosts. Exploitation could resemble similar SSRF attacks seen in other web applications where internal APIs are inadvertently exposed.
CVE-2026-35036 was publicly disclosed on 2026-04-06. There is no indication of this vulnerability being actively exploited at the time of writing. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Organizations running Ech0 instances, particularly those with exposed instances or those that rely on the platform for internal idea sharing, are at risk. Shared hosting environments where multiple users share the same Ech0 instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability through another user's account.
• nodejs / server:
journalctl -u ech0 -f | grep -i "io.ReadAll"• generic web:
curl -I <ech0_instance_url>/api/website/title?url=<malicious_url>
# Check for unexpected server responses or internal IP addresses in the headersdisclosure
Estado del Exploit
EPSS
0.04% (13% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-35036 is to upgrade Ech0 to version 4.2.8 or later, which includes the necessary fixes to prevent the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /api/website/title endpoint with attacker-controlled URLs. Additionally, restrict network access to the Ech0 instance to only trusted sources. Review and strengthen the server's outbound network policies to prevent unauthorized connections. After upgrading, confirm the fix by attempting to trigger the link preview functionality with a known malicious URL and verifying that the request is blocked or handled securely.
Actualice Ech0 a la versión 4.2.8 o posterior para mitigar la vulnerabilidad de SSRF. Esta actualización implementa medidas de seguridad para evitar que el servidor realice solicitudes no autenticadas a sitios web externos, protegiendo así la instancia de posibles ataques.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-35036 is a Server-Side Request Forgery (SSRF) vulnerability affecting Ech0 versions before 4.2.8. It allows attackers to make the server fetch arbitrary URLs, potentially exposing internal resources.
You are affected if you are running Ech0 version 0.0.0 through 4.2.7. Upgrade to 4.2.8 or later to mitigate the vulnerability.
Upgrade Ech0 to version 4.2.8 or later. As a temporary workaround, implement a WAF rule to block malicious requests to the /api/website/title endpoint.
There is currently no evidence of active exploitation of CVE-2026-35036, but the vulnerability's severity warrants prompt remediation.
Refer to the Ech0 project's official release notes and security advisories on their GitHub repository for the latest information.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.