changedetection.io is an open-source tool designed to monitor web page changes by fetching and storing content from user-specified URLs. In versions before 0.54.1, it contains a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-27696, CWE-918) due to insufficient validation in the is_safe_valid_url() function. This function fails to verify the resolved IP addresses of URLs against private, loopback, or link-local address spaces, allowing attackers to specify internal network addresses. An attacker with authentication, or any user if no password is configured (the default), can add watch URLs pointing to internal services. The application fetches these URLs server-side and stores the response content, which is then accessible through the web UI. This behavior enables attackers to exfiltrate sensitive data from internal systems that are otherwise inaccessible externally. The vulnerability does not require user interaction and can be exploited remotely over the network. The CVSS v3.1 score of 8.6 reflects the high impact on confidentiality with no impact on integrity or availability. The scope is considered changed because the vulnerability allows access to internal network resources beyond the application boundary. The issue was addressed in version 0.54.1 by improving URL validation to block private and local IP ranges. No known exploits are reported in the wild yet, but the vulnerability is critical due to the potential for internal data exposure.

This SSRF vulnerability poses a significant risk to organizations deploying changedetection.io versions prior to 0.54.1, especially those exposing the service to untrusted users or with weak authentication configurations. Attackers can leverage this flaw to access internal network services that are otherwise protected by firewalls or network segmentation, potentially extracting sensitive information such as internal APIs, metadata services, or configuration endpoints. The confidentiality breach can lead to further attacks, including lateral movement, reconnaissance, or data leakage. Since the vulnerability does not affect integrity or availability directly, the primary concern is unauthorized data disclosure. Organizations relying on changedetection.io in environments with sensitive internal resources are at heightened risk. The default configuration without password protection exacerbates the threat by allowing unauthenticated exploitation. The vulnerability's network-exploitable nature and lack of user interaction requirement increase the likelihood of automated attacks once public awareness grows.

Organizations should immediately upgrade changedetection.io to version 0.54.1 or later, which contains the fix for this SSRF vulnerability. If upgrading is not immediately feasible, administrators should enforce strong authentication mechanisms, ensuring that password protection is enabled to prevent unauthenticated access. Network-level controls such as firewall rules or web application firewalls (WAFs) can be configured to restrict outbound HTTP requests from the changedetection.io server to internal IP ranges, effectively blocking SSRF attempts. Additionally, administrators should audit existing watch URLs for any internal addresses and remove suspicious entries. Monitoring and logging outbound requests from the application can help detect exploitation attempts. Implementing network segmentation to isolate the changedetection.io server from sensitive internal services further reduces risk. Finally, educating users about the risks of SSRF and enforcing strict input validation policies in any custom integrations can help prevent similar issues.