GHSA-cp79-9mwr-wr49: Ech0: Missing authorization on dashboard log endpoints allows low-privilege users to access sensitive system logs

April 10, 2026 (updated June 2, 2026)

Ech0 allows any authenticated user to read historical system logs and subscribe to live log streams because the dashboard log endpoints validate only that a JWT is present and valid, but do not require an administrator role or privileged scope.

References

github.com/advisories/GHSA-cp79-9mwr-wr49
github.com/lin-snow/Ech0/releases/tag/v4.3.5
github.com/lin-snow/Ech0/security/advisories/GHSA-cp79-9mwr-wr49

Code Behaviors & Features

Detect and mitigate GHSA-cp79-9mwr-wr49 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →