CVE-2026-35037
Published: 06 April 2026
Summary
CVE-2026-35037 is a high-severity SSRF (CWE-918) vulnerability in Ech0 Ech0. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of the arbitrary website_url query parameter to block SSRF requests targeting internal hosts, localhost, or cloud metadata endpoints.
Enforces flow control policies restricting server-side HTTP requests from the vulnerable endpoint to only authorized external destinations, preventing access to unintended internal resources.
Deploys boundary protections like web application firewalls to monitor, filter, and block unauthorized outbound requests initiated by the unauthenticated SSRF endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing app directly enables T1190 for initial access; facilitates internal reconnaissance via T1018 (remote systems), T1046 (network services), and T1522 (cloud metadata API) through unauthenticated arbitrary HTTP requests with partial response exfiltration.
NVD Description
Ech0 is an open-source, self-hosted publishing platform for personal idea sharing. Prior to 4.2.8, the GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the…
more
target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction This vulnerability is fixed in 4.2.8.
Deeper analysisAI
CVE-2026-35037 is a server-side request forgery (SSRF) vulnerability (CWE-918) affecting Ech0, an open-source, self-hosted publishing platform for personal idea sharing. In versions prior to 4.2.8, the unauthenticated GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and performs a server-side HTTP request to it without validating the target host or IP address. This allows attackers to probe and interact with unintended resources, with partial response data exfiltrated through HTML <title> tag extraction. The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).
Any unauthenticated remote attacker can exploit this vulnerability by sending a crafted request to the endpoint, tricking the Ech0 server into making HTTP requests to internal network services, cloud metadata endpoints such as 169.254.169.254, or localhost-bound services. Successful exploitation enables limited confidentiality and integrity impacts, including reconnaissance of internal infrastructure and potential data leakage via the extracted title content, though no availability impact is possible due to the changed scope.
The vulnerability is fixed in Ech0 version 4.2.8, as detailed in the GitHub security advisory at https://github.com/lin-snow/Ech0/security/advisories/GHSA-cqgf-f4x7-g6wc. Security practitioners should upgrade to 4.2.8 or later and review access to exposed Ech0 instances for SSRF mitigations like URL whitelisting or request filtering.
Details
- CWE(s)