Plattform
python
Komponente
changedetection-io
Behoben in
0.54.2
0.54.1
CVE-2026-27696 describes a Server-Side Request Forgery (SSRF) vulnerability in changedetection-io, a website change detection tool. This flaw allows authenticated users (or unauthenticated users in default configurations) to trigger requests to internal network resources. Versions of changedetection-io prior to 0.54.1 are affected. The vulnerability is resolved in version 0.54.1.
The SSRF vulnerability in changedetection-io allows an attacker to craft watch URLs pointing to internal network addresses, such as loopback addresses (127.0.0.1), link-local addresses (169.254.169.254), or private IP ranges (10.0.0.1). The application then fetches the content from these internal URLs and stores it, making it accessible through the web UI. This can lead to the exposure of sensitive internal data, such as configuration files, internal web services, or even database information. The attacker can perform reconnaissance within the internal network, mapping out services and identifying potential further attack vectors. The blast radius extends to any internal resources accessible from the changedetection-io server.
This vulnerability was publicly disclosed on 2026-02-25. There is currently no indication of active exploitation campaigns targeting CVE-2026-27696. No public proof-of-concept exploits have been released. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential for internal reconnaissance, suggests a medium probability of exploitation if left unpatched.
Organizations running changedetection-io, particularly those with default configurations (no password protection) or those exposing the application to untrusted networks, are at significant risk. Shared hosting environments where users can add custom watch URLs are also particularly vulnerable.
• python / server:
journalctl -u changedetection-io -g 'SSRF' --since "1h"• generic web:
curl -I http://<changedetection-io-ip>/watch/ -s | grep 'Server:'disclosure
Exploit-Status
EPSS
0.01% (3% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-27696 is to upgrade changedetection-io to version 0.54.1 or later. This version includes fixes for the URL validation logic that prevents the SSRF vulnerability. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound requests and block those targeting internal IP address ranges. Specifically, block requests to 127.0.0.1, 169.254.169.254, and 10.0.0.0/8. Review and restrict the permissions of the user account running changedetection-io to minimize potential impact. After upgrading, confirm the fix by attempting to create a watch URL pointing to an internal IP address; the request should be rejected.
Aktualisieren Sie changedetection.io auf Version 0.54.1 oder höher. Diese Version enthält eine Korrektur für die SSRF-Schwachstelle. Das Update verhindert, dass authentifizierte (oder nicht authentifizierte Benutzer, wenn kein Passwort konfiguriert ist) die Schwachstelle ausnutzen können, um auf interne URLs zuzugreifen und Daten zu exfiltrieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-27696 is a Server-Side Request Forgery vulnerability in changedetection-io versions up to 0.53.7, allowing attackers to access internal network resources.
You are affected if you are running changedetection-io version 0.53.7 or earlier. Check your version and upgrade immediately.
Upgrade changedetection-io to version 0.54.1 or later to resolve the SSRF vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no confirmed active exploitation of CVE-2026-27696, but the vulnerability's nature makes it potentially exploitable.
Refer to the changedetection-io project's official release notes and security advisories for details: [https://github.com/changedetectionio/changedetectionio](https://github.com/changedetectionio/changedetectionio)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.