CVE-2026-27696
📋 TL;DR
This SSRF vulnerability in changedetection.io allows authenticated users (or any user when no password is configured, which is the default) to make the server fetch internal network URLs. This enables data exfiltration from internal services by viewing the stored responses through the web UI. All instances running versions prior to 0.54.1 are affected.
💻 Affected Systems
- changedetection.io
📦 What is this software?
Changedetection by Webtechnologies
⚠️ Risk & Real-World Impact
Worst Case
Complete data exfiltration from internal services, including sensitive systems on private networks, potentially leading to full network compromise.
Likely Case
Unauthorized access to internal HTTP/HTTPS services, credential harvesting from internal APIs, and reconnaissance of internal network infrastructure.
If Mitigated
Limited impact if proper network segmentation and authentication are in place, but still allows internal service enumeration.
🎯 Exploit Status
Exploitation requires adding a watch with internal URL; trivial for attackers with access to the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.54.1
Vendor Advisory: https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-3c45-4pj5-ch7m
Restart Required: Yes
Instructions:
1. Stop changedetection.io service. 2. Update to version 0.54.1 via package manager or manual installation. 3. Restart the service.
🔧 Temporary Workarounds
Enable Authentication
allConfigure password protection to prevent unauthenticated access.
Set password via environment variable or configuration file
Network Segmentation
allRestrict changedetection.io container/VM network access to only required external endpoints.
Configure firewall rules to block outbound connections to private IP ranges
🧯 If You Can't Patch
- Implement strict network egress filtering to block connections to private IP ranges
- Enable authentication with strong passwords and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check if version is below 0.54.1 and test by attempting to add a watch for internal URL like http://127.0.0.1Check Version:
docker exec changedetection python -c "import changedetection; print(changedetection.__version__)" or check web interface footerVerify Fix Applied:
After updating to 0.54.1, attempt to add a watch for internal URL and verify it's rejected📡 Detection & Monitoring
Log Indicators:
- Failed URL validation logs
- Watch creation for internal IP addresses
- Unusual outbound HTTP requests from changedetection.io
Network Indicators:
- Outbound HTTP requests from changedetection.io to private IP ranges
- Unusual traffic patterns to internal services
SIEM Query:
source="changedetection.log" AND ("127.0.0.1" OR "192.168." OR "10." OR "172.16." OR "169.254.")