CVE-2026-33401 in Wallos
Summary
by MITRE • 03/24/2026
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by supplying a crafted URL to any of these endpoints. This issue has been patched in version 4.7.0.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2026-33401 affects Wallos, an open-source personal subscription tracking application designed for self-hosting environments. This issue represents a significant security flaw that allows authenticated users to bypass intended network boundaries and access internal services that should remain protected from external reach. The vulnerability specifically impacts versions prior to 4.7.0, indicating that while a patch was implemented for one aspect of the system in CVE-2026-30840, additional attack vectors were overlooked during the security hardening process. The flaw stems from insufficient input validation and access control mechanisms within the application's AI and notification components, creating pathways for malicious exploitation.
The technical implementation of this vulnerability involves three distinct attack surfaces that collectively enable server-side request forgery attacks. The first vulnerable parameter is the AI Ollama host parameter, which accepts user-supplied URLs without proper sanitization or validation. The second attack vector is the AI recommendations endpoint, which processes external inputs that can be manipulated to reach internal resources. The third vulnerable component is the notification cron job, which executes automated tasks based on user-provided parameters. These three endpoints share a common flaw in their input handling, allowing attackers to specify arbitrary URLs that can traverse network boundaries and access protected internal services. The vulnerability operates under CWE-918, which specifically addresses server-side request forgery issues where applications fetch resources from untrusted sources without proper validation.
The operational impact of this vulnerability is severe for organizations that host Wallos in their internal networks, particularly those with cloud infrastructure or sensitive internal services. An authenticated user can exploit these vulnerabilities to access cloud metadata endpoints including AWS IMDSv1, GCP metadata services, and Azure Instance Metadata Service, potentially obtaining sensitive credentials and access tokens. Additionally, the attack surface extends to localhost-bound services, which could include database instances, administrative interfaces, or other internal applications that should not be directly accessible from the application layer. This exposure creates a significant risk for privilege escalation attacks, as cloud metadata services often contain credentials and configuration data that can be leveraged for further compromise. The vulnerability aligns with ATT&CK technique T1566.002, which involves server-side request forgery attacks targeting cloud metadata services, and T1071.004, which covers application layer protocol usage for data exfiltration.
The mitigation strategy for CVE-2026-33401 requires immediate deployment of version 4.7.0 or later, which addresses all three identified attack surfaces through comprehensive input validation and access control improvements. Organizations should also implement network segmentation and firewall rules to limit access to internal services from the Wallos application, particularly for cloud metadata endpoints that should not be accessible from application servers. Additional protective measures include implementing strict URL validation policies, using allowlists for external service calls, and monitoring for unusual network activity patterns that might indicate exploitation attempts. The patch addresses the root cause by ensuring that all user-provided URLs are properly validated against known safe domains and that internal network boundaries are respected during processing of automated tasks. Security teams should also conduct thorough penetration testing to verify that no additional attack surfaces remain unpatched and that proper access controls have been implemented across all components of the system.