CVE-2026-33407 in Wallos
Summary
by MITRE • 03/24/2026
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, Wallos endpoints/logos/search.php accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation, enabling SSRF via proxy hijacking. The server performs DNS resolution on user-supplied search terms, which can be controlled by attackers to trigger outbound requests to arbitrary domains. This issue has been patched in version 4.7.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2026-33407 affects Wallos, an open-source personal subscription tracking application designed for self-hosting environments. This application enables users to manage their subscription expenses by tracking various services they utilize. The flaw resides within the endpoints/logos/search.php component which processes user input through search functionality. Prior to version 4.7.0, the application failed to properly validate or sanitize environment variables including HTTP_PROXY and HTTPS_PROXY, creating a significant security weakness that could be exploited by malicious actors. The vulnerability stems from improper input validation and trust of environment variables that should be carefully controlled within application contexts.
The technical implementation of this vulnerability involves the application's handling of user-supplied search terms within the search.php endpoint. When users perform searches, the system performs DNS resolution on the provided search terms to retrieve relevant information. Attackers can manipulate this process by injecting malicious proxy environment variables that control how outbound requests are routed. The system's failure to validate these environment variables allows attackers to hijack proxy configurations and redirect outbound network traffic to arbitrary domains controlled by the attacker. This creates a server-side request forgery scenario where the application unwittingly makes requests to attacker-controlled endpoints, potentially exposing internal network resources or sensitive data. The vulnerability specifically aligns with CWE-918 Server-Side Request Forgery and follows patterns commonly associated with proxy hijacking attacks in web applications.
The operational impact of this vulnerability extends beyond simple data exposure, as it provides attackers with the capability to perform reconnaissance on internal network resources that the application server might have access to. Since the application is designed for self-hosting, it typically runs within organizational networks where it may have access to internal services, databases, or other sensitive systems. Attackers could leverage this vulnerability to map internal network topology, probe for vulnerable internal services, or even attempt to exfiltrate data from internal systems that are normally protected by firewalls. The issue becomes particularly concerning in environments where the application server is not properly isolated from critical internal infrastructure, as it could potentially serve as a foothold for more extensive attacks. This vulnerability directly maps to techniques described in the ATT&CK framework under T1566 Initial Access and T1071.1 Application Layer Protocol for proxy-based network reconnaissance activities.
Mitigation strategies for this vulnerability should focus on immediate patching of affected systems to version 4.7.0 or later, which includes proper validation of environment variables. Organizations should implement strict input validation for all user-supplied parameters and ensure that proxy environment variables are either explicitly disabled or properly sanitized before being processed. Network-level controls such as outbound firewall rules can help limit the damage by restricting the application's ability to connect to arbitrary external domains. Additionally, implementing proper application sandboxing and network segmentation can reduce the potential impact of successful exploitation attempts. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other components of the application stack, particularly in areas that handle external connectivity or proxy configurations. The fix implemented in version 4.7.0 should include comprehensive validation of proxy environment variables and proper handling of DNS resolution to prevent unauthorized network access through the search functionality.