Server-Side Request Forgery Vulnerability in monetr Budgeting Application
CVE-2026-41644

8.3HIGH

Key Information:

Vendor

Monetr

Status
Monetr
Vendor
CVE Published:
7 May 2026

What is CVE-2026-41644?

The monetr budgeting application, prior to version 1.12.5, is susceptible to a server-side request forgery (SSRF) vulnerability in its Lunch Flow integration. This allows any authenticated user on a self-hosted instance to manipulate the monetr server into making unauthorized HTTP GET requests to arbitrary URLs specified by the user. Additionally, the monetr server reflects the response body from non-200 status codes back to the user through API error messages. This flaw could lead to potential data exposure or further exploitation. The issue has been successfully mitigated in version 1.12.5.

Affected Version(s)

monetr < 1.12.5

References

https://github.com/monetr/monetr/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/monetr/monetr/pull/3122
x_refsource_MISC
https://github.com/monetr/monetr/commit/c260caa3c573a4a39...
x_refsource_MISC

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.