GHSA-4h9q-p5j4-xvvh: Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export

April 10, 2026

Ech0 scoped access tokens do not reliably enforce least privilege: multiple privileged admin routes omit scope checks, and the backup export handler strips token scope metadata entirely, allowing a low-scope admin access token to reach broader admin functionality than intended.

References

github.com/advisories/GHSA-4h9q-p5j4-xvvh
github.com/lin-snow/Ech0
github.com/lin-snow/Ech0/releases/tag/v4.3.5
github.com/lin-snow/Ech0/security/advisories/GHSA-4h9q-p5j4-xvvh

Code Behaviors & Features

Detect and mitigate GHSA-4h9q-p5j4-xvvh with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →