CVE-2026-27696 Overview
CVE-2026-27696 is a Server-Side Request Forgery (SSRF) vulnerability discovered in changedetection.io, a free open source web page change detection tool. The vulnerability exists because the URL validation function is_safe_valid_url() does not validate the resolved IP address of watch URLs against private, loopback, or link-local address ranges.
An authenticated user (or any user when no password is configured, which is the default configuration) can add a watch for internal network URLs. The application fetches these URLs server-side, stores the response content, and makes it viewable through the web UI — enabling full data exfiltration from internal services.
Critical Impact
This SSRF vulnerability allows attackers to access internal network resources and exfiltrate sensitive data from services that should not be publicly accessible, particularly dangerous in default configurations without authentication.
Affected Products
- webtechnologies changedetection (versions prior to 0.54.1)
Discovery Timeline
- 2026-02-25 - CVE CVE-2026-27696 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-27696
Vulnerability Analysis
The SSRF vulnerability in changedetection.io stems from incomplete URL validation in the application's watch functionality. The core issue lies in the is_safe_valid_url() function which fails to perform adequate validation on the resolved IP addresses of URLs submitted by users.
When a user adds a URL to be monitored for changes, the application performs server-side requests to fetch the content. While the application attempts to validate URL formats and protocols, it does not check whether the resolved IP address falls within restricted ranges such as private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback addresses (127.0.0.0/8), or link-local addresses (169.254.0.0/16).
This oversight allows attackers to craft URLs that resolve to internal network addresses, effectively using the changedetection.io server as a proxy to access internal services. The stored response content is then made available through the web UI, completing the data exfiltration chain.
Root Cause
The root cause is the inadequate IP address validation in the is_safe_valid_url() function within changedetectionio/content_fetchers/requests.py. The function validates URL protocols and formats but fails to resolve and check the destination IP address against restricted private, loopback, and link-local address ranges before allowing the request.
Attack Vector
The attack vector is network-based and can be exploited remotely. An attacker with access to the changedetection.io web interface (which requires no authentication in the default configuration) can submit watch URLs targeting internal network resources. The application will fetch these resources server-side and store the responses, allowing the attacker to view internal service data through the web UI.
Attack scenarios include:
- Accessing internal APIs and microservices
- Retrieving cloud metadata endpoints (e.g., http://169.254.169.254/)
- Scanning internal network infrastructure
- Exfiltrating data from internal databases or file servers
# Security patch in changedetectionio/content_fetchers/requests.py
# Source: https://github.com/dgtlmoon/changedetection.io/commit/fe7aa38c651d73fe5f41ce09855fa8f97193747b
from loguru import logger
+from urllib.parse import urljoin, urlparse
import hashlib
import os
import re
Source: GitHub Commit Log
# Security patch in changedetectionio/store/__init__.py - improved error handling
# Source: https://github.com/dgtlmoon/changedetection.io/commit/fe7aa38c651d73fe5f41ce09855fa8f97193747b
return False
if not is_safe_valid_url(url):
- flash(gettext('Watch protocol is not permitted or invalid URL format'), 'error')
-
+ from flask import has_request_context
+ if has_request_context():
+ flash(gettext('Watch protocol is not permitted or invalid URL format'), 'error')
+ else:
+ logger.error(f"add_watch: URL '{url}' is not permitted or invalid, skipping.")
return None
# Check PAGE_WATCH_LIMIT if set
Source: GitHub Commit Log
Detection Methods for CVE-2026-27696
Indicators of Compromise
- Watch entries containing internal IP addresses (10.x.x.x, 172.16-31.x.x, 192.168.x.x, 127.x.x.x)
- Watch URLs targeting cloud metadata endpoints (169.254.169.254)
- Unusual network traffic from the changedetection.io server to internal services
- Stored watch content containing internal service responses or sensitive configuration data
Detection Strategies
- Monitor changedetection.io logs for watch additions targeting private IP ranges or localhost
- Implement network monitoring to detect outbound connections from the application server to internal network segments
- Review stored watch content for signs of internal data exfiltration
- Audit user activity logs for suspicious watch URL submissions
Monitoring Recommendations
- Configure network-level monitoring to alert on connections to RFC1918 addresses from the changedetection.io server
- Enable detailed application logging and forward to SIEM for correlation analysis
- Set up alerts for watch entries containing IP addresses rather than domain names
- Monitor for access patterns consistent with internal network reconnaissance
How to Mitigate CVE-2026-27696
Immediate Actions Required
- Upgrade changedetection.io to version 0.54.1 or later immediately
- Enable authentication on changedetection.io installations if not already configured
- Review existing watch entries for any targeting internal IP ranges or suspicious URLs
- Implement network segmentation to restrict the application server's access to internal resources
Patch Information
Version 0.54.1 of changedetection.io contains a fix for this vulnerability. The patch adds proper IP address validation to check resolved addresses against private, loopback, and link-local ranges before allowing watch URLs.
For detailed patch information, see the GitHub Security Advisory and commit fe7aa38c651d73fe5f41ce09855fa8f97193747b.
Workarounds
- Enable password authentication immediately if running in default (no-password) configuration
- Deploy network-level controls (firewall rules) to prevent the changedetection.io server from accessing internal network ranges
- Use a reverse proxy with URL filtering to block requests to internal addresses
- Consider running changedetection.io in an isolated network segment with limited access to internal resources
# Configuration example - Network isolation using iptables
# Block outbound connections to private IP ranges from the changedetection.io container/server
# Block RFC1918 private addresses
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
# Block loopback from non-localhost sources
iptables -A OUTPUT -d 127.0.0.0/8 ! -o lo -j DROP
# Block link-local and cloud metadata
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
