CVE-2026-43891: changedetection.io has an Arbitrary Local File Read via a crafted backup restore

This is an arbitrary local file disclosure vulnerability reachable through malicious backup restore content.

Who is impacted:

• Deployments where the application process has read access to sensitive local system files.
• Docker or host-mounted environments where secrets, config files, or operational artifacts are explicitly readable by the service.

What can be exposed:

• Arbitrary System Files: Core operating system files (e.g., /etc/passwd, /proc/self/environ), system-level configurations, and host metrics.
• Application Data: Internal records and files residing under the /datastore directory.
• Secrets & Artifacts: Application-local configuration files, API tokens, database credentials, and other sensitive artifacts accessible to the application process.

By accessing the backup restore functionality and importing a crafted archive, an attacker can exploit the application’s fail-open path validation. The confidentiality impact is exceptionally high because, once the payload is ingested, the application can be manipulated to disclose arbitrary local system files and highly sensitive environment variables directly through standard UI or API responses.