Skip to main content

monetr CVE-2026-41644

HIGH
Error Message Information Leak (CWE-209)
2026-04-22 https://github.com/monetr/monetr GHSA-29v9-frvh-c426
8.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
May 07, 2026 - 12:22 vuln.today
cvss_changed
CVSS changed
May 07, 2026 - 12:22 NVD
8.3 (HIGH)
Analysis Generated
Apr 23, 2026 - 06:50 vuln.today
Analysis Generated
Apr 22, 2026 - 20:01 vuln.today
Patch released
Apr 22, 2026 - 20:01 nvd
Patch available
CVE Published
Apr 22, 2026 - 19:57 nvd
HIGH

DescriptionGitHub Advisory

Impact

A server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller, with the response body from non-200 upstream responses reflected back in the API error message.

The URL validator on POST /api/lunch_flow/link only checked the URL scheme and rejected query parameters; it did not filter loopback, RFC1918, link-local, or cloud-provider metadata addresses. The outbound HTTP client read the response body via an unbounded io.ReadAll, and the controller intentionally surfaced the resulting error (which contained the upstream body) as the JSON error field of the API response.

Who is affected: self-hosted monetr deployments running the default configuration. Out of the box, LunchFlow.Enabled=true, AllowSignUp=true, and billing is not enforced, so any user who can register on the instance can reach the vulnerable endpoint. Deployments running in a cloud environment where instance metadata is reachable from the pod (e.g. AWS EC2 without IMDSv2 enforced) expand the impact to include potential exposure of instance metadata through the reflected error body.

Who is NOT affected: the hosted my.monetr.app service, which runs with LunchFlow.Enabled=false. Self-hosted operators who had already disabled public sign-up (MONETR_ALLOW_SIGN_UP=false) substantially reduce their exposure since only operator-trusted users can reach the endpoint.

A secondary denial-of-service vector also existed: because the outbound response body was read with no size cap, an attacker-influenced upstream could return a multi-GB body that monetr would fully buffer into memory.

Patches

Fixed in monetr v1.12.5. Users should upgrade to this release or later.

The fix introduces a new config field LunchFlow.AllowedApiUrls (a list of permitted Lunch Flow API URLs) with a default of ["https://lunchflow.app/api/v1"]. URLs outside the allowlist are rejected both at link-creation time and at client-construction time, with a server-side warning log on rejection. Response body reads are capped at 10 MiB for both success and error paths. The UI renders the API URL field as a disabled pre-filled input when a single URL is allowed, or a dropdown when multiple are allowed, so operators who need to use a staging or self-hosted Lunch Flow API opt in explicitly via config.

Upgrade note for self-hosters with a custom Lunch Flow URL: if your existing LunchFlowLink records point at a URL other than https://lunchflow.app/api/v1, set your lunchFlow.allowedApiUrls in your yaml config to include your custom URL before upgrading. Otherwise existing links will fail on next refresh or sync with a "Rejected Lunch Flow API URL that is not in the configured allowlist" warning in the server log.

Workarounds

For operators who cannot upgrade immediately, any of the following materially reduces or eliminates exposure:

  • Disable public sign-up: set MONETR_ALLOW_SIGN_UP=false so only operator-trusted users can reach the vulnerable

endpoint. Recommended in general for internet-exposed self-hosted deployments.

  • Disable Lunch Flow entirely: set lunchFlow.enabled: false in your config file. The endpoints will return 404 for

all callers.

  • Network-level egress restriction: restrict outbound HTTP egress from the monetr pod/container to only

lunchflow.app (or whichever legitimate Lunch Flow hosts you use). Blocks the SSRF primitive regardless of application-layer validation.

  • On AWS EC2 specifically: enforce IMDSv2 on the instance. This eliminates the cloud-metadata exfil path even if the

SSRF primitive remains reachable.

AnalysisAI

Server-side request forgery in monetr's Lunch Flow integration allows authenticated users on self-hosted instances to force the server to issue HTTP GET requests to arbitrary URLs, with response bodies from failed requests reflected in API error messages. This enables information disclosure attacks against internal networks, cloud metadata endpoints (AWS EC2 instance metadata without IMDSv2), and RFC1918 private addresses. The vulnerability is compounded by unbounded response buffering that creates a denial-of-service vector via memory exhaustion. Patch available in v1.12.5. The hosted my.monetr.app service is not affected as Lunch Flow is disabled there. Self-hosted instances with default configuration (Lunch Flow enabled, public signup allowed) are at highest risk.

Technical ContextAI

The vulnerability exists in monetr's Lunch Flow integration, a Go-based personal finance application. The vulnerable endpoint POST /api/lunch_flow/link accepted arbitrary URLs from authenticated users with insufficient validation-checking only URL scheme and rejecting query parameters, but failing to filter loopback addresses (127.0.0.0/8), RFC1918 private networks (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), link-local addresses (169.254.0.0/16), or cloud metadata endpoints (169.254.169.254 for AWS/GCP/Azure). The outbound HTTP client performed unbounded response body reads via io.ReadAll, and the controller surfaced upstream error responses (CWE-209: Generation of Error Message Containing Sensitive Information) in the JSON error field returned to the caller. This creates a classic SSRF primitive that converts the monetr server into a proxy for scanning internal networks and exfiltrating metadata via error message reflection. The Go HTTP client's default behavior combined with intentional error surfacing created both the SSRF vector and the information disclosure channel.

RemediationAI

Upgrade to monetr v1.12.5 or later, available at https://github.com/monetr/monetr/releases/tag/v1.12.5. The fix introduces LunchFlow.AllowedApiUrls configuration with a secure default whitelist of https://lunchflow.app/api/v1, rejects URLs outside the allowlist at both link-creation and client-construction time, and caps response body reads at 10 MiB to prevent memory exhaustion. Operators using custom Lunch Flow API URLs must add those URLs to lunchFlow.allowedApiUrls in configuration before upgrading to prevent existing integrations from breaking. For deployments unable to upgrade immediately, implement one or more workarounds: disable public signup via MONETR_ALLOW_SIGN_UP=false to limit exposure to trusted users only (recommended for all internet-facing instances regardless of vulnerability); disable Lunch Flow entirely with lunchFlow.enabled=false to return 404 on vulnerable endpoints; configure network-level egress filtering to restrict outbound HTTP from monetr containers to only legitimate Lunch Flow API hosts, which blocks SSRF at the network layer; or on AWS EC2 specifically, enforce IMDSv2 to prevent metadata endpoint access even if SSRF primitive remains exploitable. The egress filtering workaround is most robust as it provides defense-in-depth independent of application logic, though disabling public signup provides the fastest risk reduction for most operators. Patch implementation details in https://github.com/monetr/monetr/pull/3122 and commit c260caa3c573a4a396ec2d264c7641a5d958385b.

Share

CVE-2026-41644 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy