CVE-2026-27696
SSRF in changedetection.io Allows Internal Data Exfiltration
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| webtechnologies | changedetection | to 0.54.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27696 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in changedetection.io versions prior to 0.54.1. The vulnerability exists because the URL validation function `is_safe_valid_url()` does not properly validate the resolved IP addresses of user-supplied watch URLs against private, loopback, or link-local IP ranges.
This flaw allows an authenticated userβor any user if no password is configured, which is the defaultβto add watches on internal network URLs such as internal IP addresses or cloud metadata service endpoints. The application then fetches these URLs server-side, stores the response content, and displays it in the web UI, enabling attackers to exfiltrate sensitive data from internal services.
The vulnerability arises because `is_safe_valid_url()` only checks the URL protocol and format but does not perform DNS resolution or IP address validation, allowing access to internal network resources that should be protected.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Theft of cloud credentials such as AWS IAM credentials, service account tokens, or managed identity tokens by accessing internal metadata services.
- Internal network scanning by adding watches on internal IP ranges, potentially exposing sensitive internal infrastructure.
- Access to internal APIs, databases, and administrative interfaces that are not exposed externally.
- Persistent SSRF attacks due to periodic fetching of the maliciously added watch URLs.
- Exploitation without authentication by default, since the web UI has no password set initially.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'Detection of this SSRF vulnerability involves monitoring for attempts to add or fetch watch URLs that resolve to private, loopback, or link-local IP addresses such as 127.0.0.1, 10.0.0.1, or 169.254.169.254. Since the vulnerability allows an attacker to add internal network URLs as watches, network or system logs can be inspected for unusual outbound HTTP requests to these internal IP ranges originating from the changedetection.io server.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can check the changedetection.io logs for watch URL additions or fetches targeting internal IPs. Additionally, network monitoring tools can be used to identify outgoing HTTP requests from the changedetection.io host to private or reserved IP ranges.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect this vulnerability include:'}, {'type': 'list_item', 'content': 'Use netstat or ss to monitor outgoing connections from the changedetection.io process: `netstat -tnp | grep changedetection` or `ss -tnp | grep changedetection`'}, {'type': 'list_item', 'content': "Check HTTP access logs or application logs for watch URLs containing private IP addresses: `grep -E 'http://(127\\.0\\.0\\.1|10\\.|169\\.254\\.)' /path/to/changedetection/logs/*`"}, {'type': 'list_item', 'content': 'Use packet capture tools like tcpdump to monitor outgoing HTTP requests to private IP ranges: `tcpdump -i eth0 dst net 10.0.0.0/8 or dst net 127.0.0.0/8 or dst net 169.254.0.0/16`'}, {'type': 'list_item', 'content': 'If you have access to the changedetection.io API or database, query for watch URLs that resolve to private IPs by resolving hostnames or inspecting stored URLs.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading changedetection.io to version 0.54.1 or later, where the vulnerability is fixed by enhancing URL validation to block private, loopback, link-local, and cloud metadata IP addresses.
If upgrading immediately is not possible, you should:
- Configure changedetection.io to require authentication and set a strong password to prevent unauthenticated users from adding watch URLs.
- Set the environment variable `ALLOW_IANA_RESTRICTED_ADDRESSES` to `false` (default) to block URLs resolving to private or reserved IP addresses at both URL addition and fetch time.
- Manually review and remove any existing watch URLs that point to internal IP addresses or cloud metadata services.
- Monitor logs and network traffic for suspicious requests to internal IP ranges originating from changedetection.io.
The fix includes DNS resolution and IP address validation to prevent SSRF attacks, including protections against DNS rebinding and open redirect bypasses.