CVE-2026-29065 Overview
CVE-2026-29065 is a Zip Slip vulnerability affecting changedetection.io, a free open source web page change detection tool. The vulnerability exists in the backup restore functionality, where improper validation of file paths within uploaded ZIP archives allows an attacker to overwrite arbitrary files on the system via path traversal. This issue has been patched in version 0.54.4.
Critical Impact
Attackers can upload malicious ZIP archives containing path traversal sequences to overwrite critical system files, potentially leading to remote code execution, configuration tampering, or complete system compromise.
Affected Products
- webtechnologies changedetection (versions prior to 0.54.4)
- changedetection.io installations using backup/restore functionality
- Self-hosted changedetection.io deployments
Discovery Timeline
- 2026-03-06 - CVE-2026-29065 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-29065
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), specifically manifesting as a "Zip Slip" attack in the backup restoration feature. The application fails to properly sanitize file paths contained within uploaded ZIP archive entries before extracting them to the filesystem. When processing backup archives, the application extracts files using the archived path names directly without validating that extracted files remain within the intended destination directory.
The network-accessible attack surface with no authentication requirements means any user who can access the backup restore functionality can exploit this vulnerability. The impact primarily affects confidentiality and integrity of the system, as arbitrary file writes can be used to overwrite configuration files, inject malicious code into web-accessible locations, or compromise sensitive application data.
Root Cause
The root cause lies in insufficient input validation during ZIP archive extraction. When the backup restore function processes uploaded archives, it does not properly sanitize the archived file paths for directory traversal sequences such as ../. This allows a malicious archive to contain entries with paths like ../../../../etc/cron.d/malicious that, when extracted, escape the intended backup directory and write files to arbitrary locations on the filesystem.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious ZIP file containing entries with path traversal sequences in their filenames. When uploaded through the backup restore interface, the application extracts these files to locations outside the intended backup directory. This can be used to:
- Overwrite application configuration files
- Plant web shells in accessible directories
- Modify scheduled tasks or startup scripts
- Replace legitimate application files with malicious versions
The security patch implemented file path validation and introduced additional protections including upload size limits and zip bomb detection:
<p>{{ _('Restore a backup. Must be a .zip backup file created on/after v0.53.1 (new database layout).') }}</p>
<p>{{ _('Note: This does not override the main application settings, only watches and groups.') }}</p>
+ <p class="pure-form-message">
+ {{ _('Max upload size: %(upload)s MB · Max decompressed size: %(decomp)s MB',
+ upload=max_upload_mb, decomp=max_decompressed_mb) }}
+ </p>
Source: GitHub Commit Change Detection
The patch also removes sensitive file handling from the backup process:
zipObj.write(url_watches_json, arcname="url-watches.json")
logger.debug("Added url-watches.json to backup")
- # Add the flask app secret (if it exists)
- secret_file = os.path.join(datastore_path, "secret.txt")
- if os.path.isfile(secret_file):
- zipObj.write(secret_file, arcname="secret.txt")
-
# Add tag data directories (each tag has its own {uuid}/tag.json)
for uuid, tag in (tags or {}).items():
for f in Path(tag.data_dir).glob('*'):
Source: GitHub Commit Change Detection
Detection Methods for CVE-2026-29065
Indicators of Compromise
- Unexpected files appearing outside the changedetection.io data directory after backup restore operations
- ZIP upload requests to the backup restore endpoint containing unusual path patterns (e.g., ../ sequences)
- Modified system files or configurations following backup restore activity
- New or unexpected files in web-accessible directories or cron locations
Detection Strategies
- Monitor file system activity during and after backup restore operations for writes outside the expected data directory
- Implement web application firewall rules to inspect uploaded ZIP files for path traversal patterns
- Review application logs for backup restore operations from untrusted sources
- Deploy file integrity monitoring on critical system directories and application files
Monitoring Recommendations
- Enable detailed logging for the changedetection.io backup and restore functionality
- Set up alerts for file creation or modification events in sensitive directories during backup operations
- Monitor network traffic for large ZIP uploads to the backup restore endpoint
- Implement anomaly detection for file system activity patterns associated with the changedetection.io process
How to Mitigate CVE-2026-29065
Immediate Actions Required
- Upgrade changedetection.io to version 0.54.4 or later immediately
- Restrict access to the backup restore functionality to trusted administrators only
- Review file system for any unexpected files that may have been written via exploitation
- Audit backup restore operations in application logs for suspicious activity
Patch Information
The vulnerability has been addressed in changedetection.io version 0.54.4. The patch implements proper path validation to prevent directory traversal during ZIP extraction, adds upload size limits, and includes protection against zip bomb attacks. Organizations should update to this version immediately.
Patch details are available in the GitHub Security Advisory GHSA-25g8-2mcf-fcx9 and the GitHub Release 0.54.4.
Workarounds
- Disable the backup restore functionality if not required until patching is complete
- Implement network-level access controls to restrict who can access the backup restore endpoint
- Deploy a web application firewall with rules to detect and block ZIP uploads containing path traversal sequences
- Run changedetection.io in a containerized environment with limited filesystem access to reduce the impact of potential exploitation
# Restrict access to backup restore endpoint via reverse proxy (nginx example)
location /backups/restore {
# Allow only from trusted admin IP ranges
allow 192.168.1.0/24;
deny all;
# Limit upload size as additional protection
client_max_body_size 50M;
proxy_pass http://changedetection:5000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
