Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-29039

CVE-2026-29039: Changedetection Path Traversal Flaw

CVE-2026-29039 is a path traversal vulnerability in Changedetection.io allowing attackers to read arbitrary files via malicious XPath expressions. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-29039 Overview

CVE-2026-29039 is an XPath Injection vulnerability affecting changedetection.io, a free open source web page change detection tool. Prior to version 0.54.4, the application allows users to specify XPath expressions as content filters via the include_filters field. These XPath expressions are processed using the elementpath library which implements XPath 3.0/3.1 specification. The XPath 3.0 specification includes the unparsed-text() function which can read arbitrary files from the filesystem. Due to the lack of validation or sanitization of XPath expressions to block dangerous functions, an attacker can exploit this vulnerability to read any file accessible to the application process.

Critical Impact

Unauthenticated attackers can leverage XPath 3.0's unparsed-text() function to read arbitrary files from the server filesystem, potentially exposing sensitive configuration files, credentials, and other confidential data.

Affected Products

  • webtechnologies changedetection (versions prior to 0.54.4)

Discovery Timeline

  • 2026-03-06 - CVE-2026-29039 published to NVD
  • 2026-03-10 - Last updated in NVD database

Technical Details for CVE-2026-29039

Vulnerability Analysis

This vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection). The changedetection.io application provides users with the ability to specify XPath expressions to filter page content during change detection operations. These expressions are processed by the elementpath library, which fully implements the XPath 3.0/3.1 specification.

The core issue lies in the fact that XPath 3.0 introduces powerful functions not present in earlier versions, including unparsed-text() which is designed to read text files from the filesystem. When user-supplied XPath expressions are passed directly to the elementpath processor without sanitization, attackers can craft malicious expressions that leverage these dangerous functions.

The attack is network-accessible and requires no authentication or user interaction, making it particularly dangerous for publicly exposed instances. A successful exploit results in the disclosure of sensitive file contents from the server, which could include application configuration files, database credentials, API keys, or other sensitive data.

Root Cause

The root cause of this vulnerability is the absence of input validation and sanitization on user-supplied XPath expressions. The application accepts XPath content filters through the include_filters field and passes them directly to the elementpath library for processing. The elementpath library, implementing the full XPath 3.0/3.1 specification, supports functions like unparsed-text() that can access the local filesystem. Without a whitelist of allowed functions or explicit blocking of dangerous functions, attackers can inject expressions that read arbitrary files.

Attack Vector

An attacker can exploit this vulnerability by submitting a malicious XPath expression through the include_filters field. The attack flow involves:

  1. The attacker accesses the changedetection.io application and configures a page monitoring job
  2. In the content filter configuration, the attacker supplies an XPath expression containing the unparsed-text() function pointing to a target file path (e.g., /etc/passwd or application configuration files)
  3. When the application processes this filter, the elementpath library evaluates the expression and reads the contents of the specified file
  4. The file contents are returned to the attacker through the application's change detection output

This vulnerability requires no special privileges and can be exploited remotely over the network. See the GitHub Security Advisory GHSA-6fmw-82m7-jq6p for additional technical details.

Detection Methods for CVE-2026-29039

Indicators of Compromise

  • Unusual XPath expressions in application logs containing unparsed-text(), doc(), or other file-access functions
  • Error messages referencing file paths or filesystem operations in XPath processing contexts
  • Monitoring requests that target sensitive file paths such as /etc/passwd, /etc/shadow, or application configuration directories
  • Unexpected file access attempts from the changedetection.io application process

Detection Strategies

  • Implement log monitoring for XPath expressions containing known dangerous functions like unparsed-text(), unparsed-text-lines(), doc(), and environment-variable()
  • Deploy web application firewall (WAF) rules to detect and block requests containing suspicious XPath payloads in the include_filters parameter
  • Enable file integrity monitoring on sensitive configuration files to detect unauthorized access attempts
  • Review application audit logs for content filter configurations that reference filesystem paths or XPath 3.0-specific functions

Monitoring Recommendations

  • Configure alerts for any XPath expression processing errors that reference filesystem paths
  • Monitor for elevated file read operations from the changedetection.io application process
  • Implement network traffic analysis to detect exfiltration of sensitive file contents through the application's responses
  • Regularly audit configured content filters for suspicious XPath expressions

How to Mitigate CVE-2026-29039

Immediate Actions Required

  • Upgrade changedetection.io to version 0.54.4 or later immediately
  • Audit existing content filter configurations for any suspicious XPath expressions
  • Review application logs for evidence of exploitation attempts
  • Consider temporarily disabling XPath-based content filtering until the patch is applied

Patch Information

The vulnerability has been patched in changedetection.io version 0.54.4. The fix involves implementing validation and sanitization of XPath expressions to block dangerous functions like unparsed-text().

For detailed patch information, refer to:

Workarounds

  • If immediate patching is not possible, restrict network access to the changedetection.io application to trusted users only
  • Implement a web application firewall rule to block requests containing dangerous XPath functions in the include_filters parameter
  • Run the application with minimal filesystem permissions to limit the scope of potential file disclosure
  • Consider using containerization with read-only filesystem mounts for sensitive directories
bash
# Example: Restrict container filesystem access (Docker)
docker run -d \
  --read-only \
  --tmpfs /tmp \
  -v /app/data:/datastore:rw \
  changedetection/changedetection.io:0.54.4

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne