Description
monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5.
Published: 2026-05-07
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

monetr, a budgeting application, contains a server‑side request forgery flaw in its Lunch Flow integration. When an authenticated user creates or refreshes a Lunch Flow link, the server accepts a URL parameter and issues an HTTP GET request to that URL. If the upstream service responds with a non‑200 status code, the server includes the response body in the API error message, exposing the body to the caller.

Affected Systems

The vulnerability exists in all released versions of monetr prior to 1.12.5, inclusive of the monetr:monetr product line for self‑hosted deployments.

Risk and Exploitability

With a CVSS score of 8.3, this vulnerability is high‑severity. Exploitation requires an authenticated session on a self‑hosted instance, and the attacker can trigger it through the Lunch Flow link creation or refresh endpoint. The server then performs HTTP GET requests to any URL supplied by the attacker. Because the response body of non‑200 responses is returned in an API error message, the attacker can see the content of those responses. This could enable internal network reconnaissance or result in the disclosure of internal data, which is inferred from the description that the server can reach arbitrary URLs and that the response body is reflected back to the user. The EPSS score is unavailable, and the vulnerability is not listed in CISA’s KEV catalog.

Generated by OpenCVE AI on May 7, 2026 at 15:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch to upgrade monetr to version 1.12.5 or later
  • Restrict outbound traffic from the monetr server using network firewall rules so only approved IP ranges and ports are reachable
  • If Lunch Flow is not needed, disable the integration or restrict its use to trusted users

Generated by OpenCVE AI on May 7, 2026 at 15:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-29v9-frvh-c426 monetr: Server-side request forgery in Lunch Flow link creation and refresh
History

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Monetr
Monetr monetr
Vendors & Products Monetr
Monetr monetr

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 12:15:00 +0000

Type Values Removed Values Added
Description monetr is a budgeting application for recurring expenses. Prior to version 1.12.5, a server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message. This issue has been patched in version 1.12.5.
Title monetr is vulnerable to server-side request forgery in Lunch Flow link creation and refresh
Weaknesses CWE-209
CWE-770
CWE-918
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N'}

Subscriptions

Monetr Monetr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T13:48:06.056Z

Reserved: 2026-04-21T23:58:43.802Z

Link: CVE-2026-41644

cve-icon Vulnrichment

Updated: 2026-05-07T13:48:00.872Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-07T12:16:17.810

Modified: 2026-05-07T15:53:49.717

Link: CVE-2026-41644

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:30:06Z

Weaknesses