Description
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user (or any user when no password is configured, which is the default) can add a watch for internal network URLs. The application fetches these URLs server-side, stores the response content, and makes it viewable through the web UI — enabling full data exfiltration from internal services. Version 0.54.1 contains a fix for the issue.
Published: 2026-02-25
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery permitting internal data exfiltration via watch URLs
Action: Immediate Patch
AI Analysis

Impact

An authenticated user, or any user when no password is configured, can specify a watch URL that points to an internal, private, loopback, or link‑local address. The application does not validate the resolved IP against these ranges, allowing it to fetch any resource reachable from the host. The fetched content is stored and presented in the web interface, enabling full exfiltration of internal data. This flaw constitutes a high‑severity SSRF vulnerability, represented by CWE‑918.

Affected Systems

The affected product is changedetection.io provided by dgtlmoon. Versions prior to 0.54.1 are vulnerable. All installations that have enabled the watch feature and are accessible to an attacker could be impacted.

Risk and Exploitability

The CVSS scoring is 8.6, indicating high severity. The EPSS probability is less than 1%, suggesting that exploitation is not common yet, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely remote or local, depending on network exposure and whether the instance allows unauthenticated access, which is the default scenario. Once the attacker can submit a watch URL, they can retrieve any internal service data that the host can reach, effectively compromising confidentiality of internal infrastructure.

Generated by OpenCVE AI on April 17, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade changedetection.io to version 0.54.1 or later, which fixes the SSRF check.
  • If an upgrade is not immediately possible, disable the ability to add watch URLs from external input, for example by modifying the configuration to block internal IP ranges or by removing the watch feature altogether.
  • Ensure that the application is not exposed to unauthenticated users when not required, by setting a strong login credential or configuring the web server to restrict access.

Generated by OpenCVE AI on April 17, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3c45-4pj5-ch7m changedetection.io is Vulnerable to SSRF via Watch URLs
History

Thu, 26 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Webtechnologies
Webtechnologies changedetection
CPEs cpe:2.3:a:webtechnologies:changedetection:*:*:*:*:*:*:*:*
Vendors & Products Webtechnologies
Webtechnologies changedetection

Thu, 26 Feb 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Dgtlmoon
Dgtlmoon changedetection.io
Vendors & Products Dgtlmoon
Dgtlmoon changedetection.io

Wed, 25 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges. An authenticated user (or any user when no password is configured, which is the default) can add a watch for internal network URLs. The application fetches these URLs server-side, stores the response content, and makes it viewable through the web UI — enabling full data exfiltration from internal services. Version 0.54.1 contains a fix for the issue.
Title changedetection.io Vulnerable to Server-Side Request Forgery (SSRF) via Watch URLs
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Dgtlmoon Changedetection.io
Webtechnologies Changedetection
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T14:51:16.695Z

Reserved: 2026-02-23T17:56:51.202Z

Link: CVE-2026-27696

cve-icon Vulnrichment

Updated: 2026-02-25T14:51:11.760Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T05:17:26.940

Modified: 2026-02-26T15:34:26.273

Link: CVE-2026-27696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:30:06Z

Weaknesses