CVE-2026-35037: Ech0: Unauthenticated SSRF in GetWebsiteTitle allows access to internal services and cloud metadata

April 3, 2026 (updated April 6, 2026)

The GET /api/website/title endpoint accepts an arbitrary URL via the website_url query parameter and makes a server-side HTTP request to it without any validation of the target host or IP address. The endpoint requires no authentication. An attacker can use this to reach internal network services, cloud metadata endpoints (169.254.169.254), and localhost-bound services, with partial response data exfiltrated via the HTML <title> tag extraction.

References

github.com/advisories/GHSA-cqgf-f4x7-g6wc
github.com/lin-snow/Ech0
github.com/lin-snow/Ech0/security/advisories/GHSA-cqgf-f4x7-g6wc
nvd.nist.gov/vuln/detail/CVE-2026-35037

Code Behaviors & Features

Detect and mitigate CVE-2026-35037 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →