Platform
python
Component
changedetection-io
Fixed in
0.54.2
0.54.1
CVE-2026-27696 describes a Server-Side Request Forgery (SSRF) vulnerability in changedetection-io, a website change detection tool. This flaw allows authenticated users (or unauthenticated users in default configurations) to trigger the application to fetch internal network resources, potentially exposing sensitive data. The vulnerability impacts versions of changedetection-io up to 0.53.7, and a fix is available in version 0.54.1.
The SSRF vulnerability in changedetection-io allows an attacker to craft watch URLs pointing to internal network resources, such as loopback addresses (127.0.0.1), link-local addresses (169.254.169.254), or private IP ranges (10.0.0.1). The application then fetches the content from these URLs and stores it, making it accessible through the web UI. This could lead to the exposure of internal services, configuration files, or even sensitive data residing on internal servers. The impact is amplified if the changedetection-io instance is configured without a password, making exploitation accessible to unauthenticated users. Successful exploitation could reveal internal network topology and potentially be a stepping stone for further attacks.
This vulnerability was publicly disclosed on 2026-02-25. There is currently no indication of active exploitation campaigns targeting CVE-2026-27696. No public proof-of-concept (PoC) code has been released, but the SSRF nature of the vulnerability makes it relatively straightforward to exploit. The vulnerability is not currently listed on CISA KEV.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27696 is to upgrade changedetection-io to version 0.54.1 or later, which includes the necessary URL validation fixes. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict network access to the changedetection-io instance to only trusted sources. Implement a Web Application Firewall (WAF) with rules to block requests to internal IP address ranges. Carefully review and restrict the URLs that users can input as watch URLs, potentially using a whitelist approach. Monitor application logs for suspicious requests targeting internal network addresses.
Update changedetection.io to version 0.54.1 or higher. This version contains a fix for the SSRF vulnerability. The update will prevent authenticated (or unauthenticated if no password is configured) users from exploiting the vulnerability to access internal URLs and exfiltrate data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27696 is a Server-Side Request Forgery vulnerability in changedetection-io versions up to 0.53.7, allowing attackers to access internal network resources.
You are affected if you are running changedetection-io version 0.53.7 or earlier. Check your version and upgrade immediately.
Upgrade changedetection-io to version 0.54.1 or later to resolve the SSRF vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no confirmed active exploitation of CVE-2026-27696, but the vulnerability's nature makes it potentially exploitable.
Refer to the changedetection-io project's official release notes and security advisories for details: [https://github.com/changedetectionio/changedetectionio](https://github.com/changedetectionio/changedetectionio)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.