Summary
Workarounds
For operators who cannot upgrade immediately, any of the following materially reduces or eliminates exposure:
- Disable public sign-up: set
MONETR_ALLOW_SIGN_UP=falseso only operator-trusted users can reach the vulnerable
endpoint. Recommended in general for internet-exposed self-hosted deployments. - Disable Lunch Flow entirely: set
lunchFlow.enabled: falsein your config file. The endpoints will return 404 for
all callers. - Network-level egress restriction: restrict outbound HTTP egress from the monetr pod/container to only
lunchflow.app(or whichever legitimate Lunch Flow hosts you use). Blocks the SSRF primitive regardless of
application-layer validation. - On AWS EC2 specifically: enforce IMDSv2 on the instance. This eliminates the cloud-metadata exfil path even if the
SSRF primitive remains reachable.
Impact
A server-side request forgery (SSRF) vulnerability in monetr's Lunch Flow integration allowed any authenticated user on
a self-hosted instance to cause the monetr server to issue HTTP GET requests to arbitrary URLs supplied by the caller,
with the response body from non-200 upstream responses reflected back in the API error message.
The URL validator on POST /api/lunch_flow/link only checked the URL scheme and rejected query parameters; it did not
filter loopback, RFC1918, link-local, or cloud-provider metadata addresses. The outbound HTTP client read the response
body via an unbounded io.ReadAll, and the controller intentionally surfaced the resulting error (which contained the
upstream body) as the JSON error field of the API response.
Who is affected: self-hosted monetr deployments running the default configuration. Out of the box,LunchFlow.Enabled=true, AllowSignUp=true, and billing is not enforced, so any user who can register on the instance
can reach the vulnerable endpoint. Deployments running in a cloud environment where instance metadata is reachable from
the pod (e.g. AWS EC2 without IMDSv2 enforced) expand the impact to include potential exposure of instance metadata
through the reflected error body.
Who is NOT affected: the hosted my.monetr.app service, which runs with LunchFlow.Enabled=false. Self-hosted
operators who had already disabled public sign-up (MONETR_ALLOW_SIGN_UP=false) substantially reduce their exposure
since only operator-trusted users can reach the endpoint.
A secondary denial-of-service vector also existed: because the outbound response body was read with no size cap, an
attacker-influenced upstream could return a multi-GB body that monetr would fully buffer into memory.
The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Fixed in monetr v1.12.5. Users should upgrade to this release or later.
The fix introduces a new config field LunchFlow.AllowedApiUrls (a list of permitted Lunch Flow API URLs) with a
default of ["https://lunchflow.app/api/v1"]. URLs outside the allowlist are rejected both at link-creation time and at
client-construction time, with a server-side warning log on rejection. Response body reads are capped at 10 MiB for both
success and error paths. The UI renders the API URL field as a disabled pre-filled input when a single URL is allowed,
or a dropdown when multiple are allowed, so operators who need to use a staging or self-hosted Lunch Flow API opt in
explicitly via config.
Upgrade note for self-hosters with a custom Lunch Flow URL: if your existing LunchFlowLink records point at a URL
other than https://lunchflow.app/api/v1, set your lunchFlow.allowedApiUrls in your yaml config to include your
custom URL before upgrading. Otherwise existing links will fail on next refresh or sync with a "Rejected Lunch Flow API URL that is not in the configured allowlist" warning in the server log.
Frequently Asked Questions
- What is CVE-2026-41644? CVE-2026-41644 is a high-severity allocation of resources without limits or throttling vulnerability in github.com/monetr/monetr (go), affecting versions < 1.12.5. It is fixed in 1.12.5. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
- Which versions of github.com/monetr/monetr are affected by CVE-2026-41644? github.com/monetr/monetr (go) versions < 1.12.5 is affected.
- Is there a fix for CVE-2026-41644? Yes. CVE-2026-41644 is fixed in 1.12.5. Upgrade to this version or later.
- Is CVE-2026-41644 exploitable, and should I be worried? Whether CVE-2026-41644 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-41644 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-41644? Upgrade
github.com/monetr/monetrto 1.12.5 or later.