GHSA-w8jj-cwmc-wgq2: Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure

April 10, 2026

The system log endpoints (GET /api/system/logs, GET /api/system/logs/stream, WS /ws/system/logs) lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and arbitrary structured fields that facilitate reconnaissance for further attacks.

References

github.com/advisories/GHSA-w8jj-cwmc-wgq2
github.com/lin-snow/Ech0
github.com/lin-snow/Ech0/releases/tag/v4.4.3
github.com/lin-snow/Ech0/security/advisories/GHSA-w8jj-cwmc-wgq2

Code Behaviors & Features

Detect and mitigate GHSA-w8jj-cwmc-wgq2 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →