CVE-2026-41644

Name of the Vulnerable Software and Affected Versions monetr versions prior to 1.12.5

Description A server-side request forgery (SSRF) issue in the Lunch Flow integration allows authenticated users on self-hosted instances to force the server to send HTTP GET requests to arbitrary URLs. The response body from non-200 upstream responses is reflected in the API error message. The URL validator for the 'POST /api/lunch flow/link' endpoint only verified the URL scheme and rejected query parameters, failing to filter loopback, RFC1918, link-local, or cloud-provider metadata addresses. In cloud environments, this could expose instance metadata. Additionally, a denial-of-service vector exists because the outbound response body is read without a size limit, allowing a large response to exhaust server memory.

Recommendations Update to version 1.12.5 or later. Set MONETR ALLOW SIGN UP=false to disable public sign-up. Set lunchFlow.enabled: false in the configuration file to disable Lunch Flow entirely. Restrict outbound HTTP egress from the container to only legitimate Lunch Flow hosts. On AWS EC2, enforce IMDSv2 to prevent cloud-metadata exfiltration.