CVE-2026-27696
Published: 25 February 2026
Summary
CVE-2026-27696 is a high-severity SSRF (CWE-918) vulnerability in Webtechnologies Changedetection. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of watch URL inputs, including resolved IP addresses, to block private, loopback, or link-local ranges and prevent SSRF exploitation as in the flawed `is_safe_valid_url()` function.
Enforces information flow control policies to restrict server-side fetches from the application to internal network resources, mitigating unauthorized access to internal services.
Implements boundary protection to monitor and control outbound communications from the application, blocking requests to internal URLs that enable data exfiltration.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing web app directly enables T1190 exploitation; allows server-side probing of internal hosts/ports for service and system discovery (T1046, T1018) plus retrieval of internal data.
NVD Description
changedetection.io is a free open source web page change detection tool. In versions prior to 0.54.1, changedetection.io is vulnerable to Server-Side Request Forgery (SSRF) because the URL validation function `is_safe_valid_url()` does not validate the resolved IP address of watch URLs…
more
against private, loopback, or link-local address ranges. An authenticated user (or any user when no password is configured, which is the default) can add a watch for internal network URLs. The application fetches these URLs server-side, stores the response content, and makes it viewable through the web UI — enabling full data exfiltration from internal services. Version 0.54.1 contains a fix for the issue.
Deeper analysisAI
CVE-2026-27696 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting changedetection.io, a free open-source web page change detection tool, in versions prior to 0.54.1. The issue stems from the URL validation function `is_safe_valid_url()`, which fails to check the resolved IP address of watch URLs against private, loopback, or link-local address ranges. This allows the application to process and fetch arbitrary internal URLs without proper restrictions.
An attacker with authenticated access—or any user when no password is configured, which is the default—can exploit this by adding a watch for internal network URLs. The application then fetches these URLs server-side, stores the response content, and exposes it through the web UI, enabling full data exfiltration from internal services. The vulnerability has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, low complexity, and significant confidentiality impact in a changed scope.
The GitHub security advisory (GHSA-3c45-4pj5-ch7m) and associated commit (fe7aa38c651d73fe5f41ce09855fa8f97193747b) confirm that version 0.54.1 addresses the issue by improving URL validation to block unsafe IP ranges. Security practitioners should upgrade to 0.54.1 or later and consider enforcing authentication with strong passwords to limit exposure.
Details
- CWE(s)