Plataforma
python
Componente
changedetection-io
Corregido en
0.54.2
0.54.1
CVE-2026-27696 describes a Server-Side Request Forgery (SSRF) vulnerability in changedetection-io, a website change detection tool. This flaw allows authenticated users (or unauthenticated users in default configurations) to trigger the application to fetch internal network resources, potentially exposing sensitive data. The vulnerability impacts versions of changedetection-io up to 0.53.7, and a fix is available in version 0.54.1.
The SSRF vulnerability in changedetection-io allows an attacker to craft watch URLs pointing to internal network resources, such as loopback addresses (127.0.0.1), link-local addresses (169.254.169.254), or private IP ranges (10.0.0.1). The application then fetches the content from these URLs and stores it, making it accessible through the web UI. This could lead to the exposure of internal services, configuration files, or even sensitive data residing on internal servers. The impact is amplified if the changedetection-io instance is configured without a password, making exploitation accessible to unauthenticated users. Successful exploitation could reveal internal network topology and potentially be a stepping stone for further attacks.
This vulnerability was publicly disclosed on 2026-02-25. There is currently no indication of active exploitation campaigns targeting CVE-2026-27696. No public proof-of-concept (PoC) code has been released, but the SSRF nature of the vulnerability makes it relatively straightforward to exploit. The vulnerability is not currently listed on CISA KEV.
Organizations running changedetection-io, particularly those with default configurations (no password protection) or those exposing the application to untrusted networks, are at significant risk. Shared hosting environments where users can add custom watch URLs are also particularly vulnerable.
• python / server:
journalctl -u changedetection-io -g 'SSRF' --since "1h"• generic web:
curl -I http://<changedetection-io-ip>/watch/ -s | grep 'Server:'disclosure
Estado del Exploit
EPSS
0.01% (3% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-27696 is to upgrade changedetection-io to version 0.54.1 or later, which includes the necessary URL validation fixes. If upgrading immediately is not possible, consider implementing temporary workarounds. Restrict network access to the changedetection-io instance to only trusted sources. Implement a Web Application Firewall (WAF) with rules to block requests to internal IP address ranges. Carefully review and restrict the URLs that users can input as watch URLs, potentially using a whitelist approach. Monitor application logs for suspicious requests targeting internal network addresses.
Actualice changedetection.io a la versión 0.54.1 o superior. Esta versión contiene una corrección para la vulnerabilidad SSRF. La actualización evitará que usuarios autenticados (o no autenticados si no hay contraseña configurada) puedan explotar la vulnerabilidad para acceder a URLs internas y exfiltrar datos.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-27696 is a Server-Side Request Forgery vulnerability in changedetection-io versions up to 0.53.7, allowing attackers to access internal network resources.
You are affected if you are running changedetection-io version 0.53.7 or earlier. Check your version and upgrade immediately.
Upgrade changedetection-io to version 0.54.1 or later to resolve the SSRF vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no confirmed active exploitation of CVE-2026-27696, but the vulnerability's nature makes it potentially exploitable.
Refer to the changedetection-io project's official release notes and security advisories for details: [https://github.com/changedetectionio/changedetectionio](https://github.com/changedetectionio/changedetectionio)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo requirements.txt y te decimos al instante si estás afectado.