CVE-2026-43891: Changedetection Path Traversal Vulnerability

CVE-2026-43891 Overview

CVE-2026-43891 is a path traversal vulnerability [CWE-73] in changedetection.io, an open source web page change detection tool. The flaw exists in the backup restore logic, which trusts attacker-controlled snapshot paths inside restored ZIP archives. When an attacker supplies a crafted backup file, the application copies the manipulated watch directory into the live datastore using shutil.copytree. The resulting history.txt allows the application to read and return arbitrary local files. Versions prior to 0.55.1 are affected. The vulnerability is fixed in 0.55.1.

Critical Impact
Remote, unauthenticated attackers can read arbitrary files from the host filesystem by abusing the backup restore feature, exposing sensitive configuration, credentials, and secrets.

Affected Products

changedetection.io versions prior to 0.55.1
Self-hosted deployments exposing the restore endpoint
Container and bare-metal installations of webtechnologies:changedetection

Discovery Timeline

2026-05-12 - CVE-2026-43891 published to NVD
2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-43891

Vulnerability Analysis

The vulnerability resides in the backup restore workflow of changedetection.io. When a user restores a backup, the application extracts the supplied ZIP archive and trusts the directory structure inside it. Each restored watch UUID directory is copied directly into the live datastore using shutil.copytree(entry.path, dst_dir), preserving every file the attacker placed in the archive. This includes history.txt, which the application later parses to recover snapshot history.

The history.txt file contains references to snapshot files on disk. Because the restore process preserves attacker-controlled values, an adversary can point these references to arbitrary absolute paths. When the watch history property reads the snapshot, the application returns the contents of the targeted local file. This produces an arbitrary file read primitive accessible through the standard watch interface.

Root Cause

The root cause is external control of file name or path [CWE-73] during backup restoration. The application does not validate, sanitize, or constrain the paths embedded in restored backup archives. Trust placed in user-supplied archive contents allows path references to escape the intended datastore directory.

Attack Vector

An attacker with the ability to upload a backup archive can craft a ZIP containing a watch directory with a malicious history.txt. The file references absolute paths such as /etc/passwd, application configuration files, or environment files containing API tokens. After restore, viewing the watch history triggers the application to read and return the target file. The attack requires network access to the restore endpoint and no user interaction beyond submitting the backup.

No verified exploit code is publicly available. See the GitHub Security Advisory GHSA-8757-69j2-hx56 for vendor technical details.

Detection Methods for CVE-2026-43891

Indicators of Compromise

Unexpected backup restore operations recorded in changedetection.io application logs.
Watch directories containing history.txt entries that reference paths outside the application datastore.
Watch history responses returning content that does not match any monitored URL, such as system file contents.
Outbound exfiltration of sensitive file contents from the changedetection.io host.

Detection Strategies

Inspect uploaded backup ZIP archives for history.txt files containing absolute paths or .. sequences.
Audit the changedetection.io datastore for watch UUID directories that appeared after a restore operation.
Compare watch snapshot contents against monitored URLs to identify mismatches indicating arbitrary file disclosure.

Monitoring Recommendations

Enable verbose logging on the restore endpoint and forward events to a central log platform.
Alert on any restore operation performed by non-administrative or unexpected accounts.
Monitor filesystem access patterns from the changedetection.io process for reads of sensitive paths such as /etc/, ~/.ssh/, or .env files.

How to Mitigate CVE-2026-43891

Immediate Actions Required

Upgrade changedetection.io to version 0.55.1 or later without delay.
Restrict network access to the changedetection.io interface to trusted administrators only.
Review all backup restore activity since deployment and verify the integrity of the current datastore.
Rotate any credentials, tokens, or secrets stored on the host that could have been disclosed.

Patch Information

The vendor released a fix in changedetection.io 0.55.1. The patch validates restored archive contents and prevents attacker-controlled paths from being copied into the live datastore. Refer to the GitHub Security Advisory GHSA-8757-69j2-hx56 for release notes and remediation details.

Workarounds

Disable the backup restore functionality until the upgrade is applied.
Place changedetection.io behind an authenticating reverse proxy that blocks anonymous access to administrative routes.
Run the application under a low-privilege account with filesystem access limited to the datastore directory.

bash

# Upgrade changedetection.io to the patched release
pip install --upgrade "changedetection.io>=0.55.1"

# Or, for Docker deployments
docker pull ghcr.io/dgtlmoon/changedetection.io:0.55.1
docker stop changedetection && docker rm changedetection
docker run -d --name changedetection \
  -v /opt/changedetection/datastore:/datastore \
  ghcr.io/dgtlmoon/changedetection.io:0.55.1