Executive Summary

CVE-2026-41644 is a Server-Side Request Forgery (SSRF) vulnerability in the monetr budgeting application's Lunch Flow integration prior to version 1.12.5.

This vulnerability allowed any authenticated user on a self-hosted monetr instance to cause the server to issue HTTP GET requests to arbitrary URLs supplied by the user.

The server would then read the full response body from these requests, even if the response was not successful (non-200), and reflect that response back in the API error message.

The issue existed because the URL validator only checked the URL scheme and allowed query parameters but did not filter out internal or sensitive addresses such as loopback, RFC1918, link-local, or cloud-provider metadata addresses.

This flaw was patched in monetr version 1.12.5 by introducing an allowlist of permitted API URLs and limiting the size of response bodies read.

Useful 0 Not Useful 0

Compliance Impact

The SSRF vulnerability in monetr prior to version 1.12.5 could lead to exposure of sensitive information because the server reflected response bodies from arbitrary URLs, including potentially sensitive internal or cloud metadata, back in API error messages. This exposure of sensitive data could impact confidentiality requirements under common standards and regulations such as GDPR and HIPAA.

Additionally, the vulnerability allowed denial-of-service conditions by buffering large response bodies, which could affect availability requirements.

The vulnerability was rated High severity with a CVSS score of 8.3, indicating significant risk to confidentiality and availability, which are critical aspects of compliance with data protection regulations.

The patch in version 1.12.5 mitigates these risks by restricting allowed API URLs, capping response body sizes, and improving configuration options, helping organizations maintain compliance by reducing the risk of unauthorized data exposure.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts on users of self-hosted monetr instances.

• An attacker with authenticated access can cause the server to make requests to arbitrary URLs, potentially accessing internal or sensitive network resources.
• Sensitive information from the response bodies of these requests, including error messages, could be exposed to the attacker.
• There is a risk of denial-of-service (DoS) attacks by forcing the server to buffer very large response bodies (multi-gigabyte) into memory.
• Cloud deployments where instance metadata services are reachable (e.g., AWS EC2 without IMDSv2 enforced) face additional risks of metadata exposure.

The vulnerability affects self-hosted instances with default configurations where LunchFlow is enabled and public sign-up is allowed.

Useful 0 Not Useful 0

Detection Guidance

The vulnerability involves the monetr server making HTTP GET requests to arbitrary URLs supplied by authenticated users via the Lunch Flow integration. Detection can focus on monitoring outbound HTTP requests from the monetr server to unusual or unexpected URLs, especially those not in the allowed API URL list.

To detect exploitation attempts, you can monitor network traffic for unexpected HTTP GET requests originating from the monetr server process. Additionally, inspecting API error messages for reflected response bodies from non-200 upstream responses may indicate attempts to exploit the SSRF.

• Use network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests from the monetr server.
• Example tcpdump command to capture HTTP traffic from the monetr server (assuming default HTTP port 80):
• tcpdump -i <interface> -s 0 -A 'tcp dst port 80 and src host <monetr_server_ip>'
• Check application logs or API error responses for unusual error messages containing response bodies from external URLs.
• If possible, enable verbose logging in monetr to capture outbound request URLs during the Lunch Flow process.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade monetr to version 1.12.5 or later, where the vulnerability has been patched by implementing an allowlist of permitted Lunch Flow API URLs and limiting response body reads.

If upgrading immediately is not possible, the following workarounds can reduce risk:

• Disable public sign-up to prevent unauthorized authenticated users from accessing the vulnerable endpoint.
• Disable the Lunch Flow integration entirely if it is not needed.
• Restrict outbound HTTP egress from the monetr server to only trusted URLs, preventing arbitrary external requests.
• Configure the LunchFlow.AllowedApiUrls setting to explicitly list only trusted API URLs if using custom Lunch Flow API endpoints.

Useful 0 Not Useful 0