CVE-2024-23329 in changedetection.io
Summary
by MITRE • 01/19/2024
changedetection.io is an open source tool designed to monitor websites for content changes. In affected versions the API endpoint `/api/v1/watch/<uuid>/history` can be accessed by any unauthorized user. As a result any unauthorized user can check one's watch history. However, because unauthorized party first needs to know a watch UUID, and the watch history endpoint itself returns only paths to the snapshot on the server, an impact on users' data privacy is minimal. This issue has been addressed in version 0.45.13. Users are advised to upgrade. There are no known workarounds for this vulnerability.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/19/2026
The vulnerability identified as CVE-2024-23329 affects changedetection.io, an open source website monitoring tool that enables users to track content changes on web pages. This security flaw represents a critical authorization bypass issue that compromises the privacy of user data through improper access controls. The affected API endpoint `/api/v1/watch/<uuid>/history` was designed to provide authenticated users with access to their watch history, but due to inadequate validation mechanisms, unauthorized parties could access this information without proper authentication. The vulnerability stems from a lack of proper access control enforcement, allowing any user to retrieve watch history data from the system, potentially exposing sensitive monitoring information about user activities and website content changes.
The technical implementation of this flaw demonstrates a classic authorization bypass vulnerability where the system fails to verify user credentials before granting access to protected resources. The endpoint structure follows a predictable pattern where watch history is accessed via UUID identifiers, which creates a potential attack surface where malicious actors could enumerate or guess valid UUIDs to access other users' watch history data. While the vulnerability does not directly expose the actual content of website snapshots, it does provide unauthorized access to metadata about monitoring activities, including which websites are being watched and when changes were detected. This information alone can reveal user behavior patterns and potentially sensitive monitoring activities, particularly in environments where website monitoring may involve proprietary or confidential content.
The operational impact of this vulnerability extends beyond simple privacy concerns to encompass potential data exposure and user trust implications. Although the attack requires knowledge of specific watch UUIDs, the fact that unauthorized users can access watch history data means that any user with access to the system or knowledge of valid UUIDs can potentially discover what content other users are monitoring. This creates a significant privacy risk for users who may be monitoring sensitive websites or content that could be considered private or confidential. The vulnerability affects all versions prior to 0.45.13, making it a widespread concern for organizations using older installations of the tool. The minimal impact on data privacy mentioned in the description is misleading as it overlooks the metadata exposure that can reveal user monitoring patterns and potentially sensitive information about website content changes.
Security standards such as CWE-284 provide clear guidance on improper access control vulnerabilities, which directly applies to this situation where insufficient authorization checks allow unauthorized access to protected resources. The vulnerability also aligns with ATT&CK technique T1213.002 related to data from information repositories, as it enables unauthorized access to stored monitoring data through API endpoints. Organizations using changedetection.io should immediately upgrade to version 0.45.13 or later to remediate this vulnerability, as no workarounds are available to address the authorization bypass. The fix implemented in the updated version likely involves strengthening access control mechanisms at the API endpoint level, ensuring that proper authentication and authorization checks are enforced before allowing access to watch history data. This vulnerability serves as a reminder of the importance of implementing robust access controls even in open source monitoring tools where user privacy and data protection must be maintained as fundamental security principles.