CVE-2026-29039 Overview
CVE-2026-29039 is an XPath Injection vulnerability affecting changedetection.io, a free open source web page change detection tool. Prior to version 0.54.4, the application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. The XPath 3.0 specification includes the unparsed-text() function which can read arbitrary files from the filesystem. Due to the lack of validation or sanitization of XPath expressions to block dangerous functions, an attacker can exploit this vulnerability to read any file accessible to the application process.
Critical Impact
Unauthenticated attackers can leverage XPath 3.0's unparsed-text() function to read arbitrary files from the server filesystem, potentially exposing sensitive configuration files, credentials, and other confidential data.
Affected Products
- webtechnologies changedetection (versions prior to 0.54.4)
Discovery Timeline
- 2026-03-06 - CVE-2026-29039 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-29039
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection). The changedetection.io application provides users with the ability to specify XPath expressions to filter page content during change detection operations. These expressions are processed by the elementpath library, which fully implements the XPath 3.0/3.1 specification.
The core issue lies in the fact that XPath 3.0 introduces powerful functions not present in earlier versions, including unparsed-text() which is designed to read text files from the filesystem. When user-supplied XPath expressions are passed directly to the elementpath processor without sanitization, attackers can craft malicious expressions that leverage these dangerous functions.
The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for publicly exposed instances. A successful exploit results in the disclosure of sensitive file contents from the server, which could include application configuration files, database credentials, API keys, or other sensitive data.
Root Cause
The root cause of this vulnerability is the absence of input validation and sanitization on user-supplied XPath expressions. The application accepts XPath content filters through the include_filters field and passes them directly to the elementpath library for processing. The elementpath library, implementing the full XPath 3.0/3.1 specification, supports functions like unparsed-text() that can access the local filesystem. Without a whitelist of allowed functions or explicit blocking of dangerous functions, attackers can inject expressions that read arbitrary files.
Attack Vector
An attacker can exploit this vulnerability by submitting a malicious XPath expression through the include_filters field. The attack flow involves:
- The attacker accesses the changedetection.io application and configures a page monitoring job
- In the content filter configuration, the attacker supplies an XPath expression containing the unparsed-text() function pointing to a target file path (e.g., /etc/passwd or application configuration files)
- When the application processes this filter, the elementpath library evaluates the expression and reads the contents of the specified file
- The file contents are returned to the attacker through the application's change detection output
This vulnerability requires no special privileges and can be exploited remotely over the network. See the GitHub Security Advisory GHSA-6fmw-82m7-jq6p for additional technical details.
Detection Methods for CVE-2026-29039
Indicators of Compromise
- Unusual XPath expressions in application logs containing unparsed-text(), doc(), or other file-access functions
- Error messages referencing file paths or filesystem operations in XPath processing contexts
- Monitoring requests that target sensitive file paths such as /etc/passwd, /etc/shadow, or application configuration directories
- Unexpected file access attempts from the changedetection.io application process
Detection Strategies
- Implement log monitoring for XPath expressions containing known dangerous functions like unparsed-text(), unparsed-text-lines(), doc(), and environment-variable()
- Deploy web application firewall (WAF) rules to detect and block requests containing suspicious XPath payloads in the include_filters parameter
- Enable file integrity monitoring on sensitive configuration files to detect unauthorized access attempts
- Review application audit logs for content filter configurations that reference filesystem paths or XPath 3.0-specific functions
Monitoring Recommendations
- Configure alerts for any XPath expression processing errors that reference filesystem paths
- Monitor for elevated file read operations from the changedetection.io application process
- Implement network traffic analysis to detect exfiltration of sensitive file contents through the application's responses
- Regularly audit configured content filters for suspicious XPath expressions
How to Mitigate CVE-2026-29039
Immediate Actions Required
- Upgrade changedetection.io to version 0.54.4 or later immediately
- Audit existing content filter configurations for any suspicious XPath expressions
- Review application logs for evidence of exploitation attempts
- Consider temporarily disabling XPath-based content filtering until the patch is applied
Patch Information
The vulnerability has been patched in changedetection.io version 0.54.4. The fix involves implementing validation and sanitization of XPath expressions to block dangerous functions like unparsed-text().
For detailed patch information, refer to:
Workarounds
- If immediate patching is not possible, restrict network access to the changedetection.io application to trusted users only
- Implement a web application firewall rule to block requests containing dangerous XPath functions in the include_filters parameter
- Run the application with minimal filesystem permissions to limit the scope of potential file disclosure
- Consider using containerization with read-only filesystem mounts for sensitive directories
# Example: Restrict container filesystem access (Docker)
docker run -d \
--read-only \
--tmpfs /tmp \
-v /app/data:/datastore:rw \
changedetection/changedetection.io:0.54.4
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
