CVE-2026-35036
Published: 06 April 2026
Summary
CVE-2026-35036 is a high-severity SSRF (CWE-918) vulnerability in Ech0 Ech0. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates attacker-controlled URLs supplied to the unauthenticated /api/website/title endpoint to block SSRF exploitation before the server performs the outbound fetch.
Monitors and controls the Ech0 server's outbound HTTP/HTTPS communications at boundaries to prevent and detect SSRF requests targeting internal resources like Docker bridges, VPCs, or localhost.
Enforces flow control policies restricting the server's outbound requests to approved destinations, mitigating SSRF access to unauthorized internal network positions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in unauthenticated public endpoint enables T1190 (exploit public-facing app), T1046 (internal network service discovery via arbitrary URL requests), and T1522 (access to cloud/localhost metadata services).
NVD Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, Ech0 implements link preview (editor fetches a page title) through GET /api/website/title. That is legitimate product behavior, but the implementation is unsafe: the route is unauthenticated,…
more
accepts a fully attacker-controlled URL, performs a server-side GET, reads the entire response body into memory (io.ReadAll). There is no host allowlist, no SSRF filter, and InsecureSkipVerify: true on the outbound client. Anyone who can reach the instance can force the Ech0 server to open HTTP/HTTPS URLs of their choice as seen from the server’s network position (Docker bridge, VPC, localhost from the process view). This vulnerability is fixed in 4.2.8.
Deeper analysisAI
CVE-2026-35036 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Ech0, an open-source, self-hosted publishing platform for personal idea sharing. In versions prior to 4.2.8, the link preview feature, accessible via the unauthenticated GET /api/website/title endpoint, allows attackers to supply a fully controlled URL. The server then performs an outbound HTTP/HTTPS GET request using a client configured with InsecureSkipVerify: true, reads the entire response body into memory via io.ReadAll, and lacks any host allowlist or SSRF mitigations. The issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact.
Any unauthenticated attacker who can reach the Ech0 instance over the network can exploit this by sending a crafted request to the /api/website/title endpoint with a malicious URL. This forces the server to fetch arbitrary HTTP/HTTPS resources from its own network perspective, such as Docker bridges, VPC internals, or localhost services, potentially exposing sensitive internal data or metadata.
The GitHub security advisory (GHSA-wc4h-2348-jc3p) confirms the vulnerability is fixed in Ech0 version 4.2.8, recommending immediate upgrades for affected instances.
Details
- CWE(s)