CVE-2026-30842 - Vulnerability Details

- Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2.

Published: 2026-03-07

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Wallos is an open‑source subscription tracking application that allows users to upload profile pictures. A flaw in the avatar deletion endpoint fails to verify the ownership of the requested file, so any authenticated user, if they know or can guess another user’s avatar filename, can delete that file. This lack of authorization permits unintended data removal but does not lead to code execution or broader system compromise.

Affected Systems

The vulnerability exists in all Wallos releases prior to version 4.6.2 distributed by the vendor ellite:Wallos. Users running these older versions are susceptible; the patch was introduced in the 4.6.2 release. No other product versions are indicated as affected.

Risk and Exploitability

The CVSS score is 4.3, reflecting a moderate impact. The EPSS score is below 1%, indicating a very low likelihood of exploitation as of the latest data, and the vulnerability is not listed in the CISA KEV catalog. An attacker would need authenticated access and knowledge of another user’s avatar filename, a condition that may be difficult to obtain without additional reconnaissance.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

ellite

Wallos

affected

Version	Status	Constraints
`< 4.6.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Ellite

Wallos

100%

Version	Status	Scheme	Platform
`[0,4.6.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Wallos to version 4.6.2 or later, which enforces proper authorization on avatar deletion.
If an immediate upgrade is not possible, disable or remove the avatar deletion API for non‑administrator accounts or reconfigure role permissions to restrict delete access to avatar owners.
Verify the integrity of existing avatars and consider revoking or rotating affected users’ passwords to rule out unauthorized activity, then review audit logs for recent deletion attempts.

Generated by OpenCVE AI on April 16, 2026 at 10:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00011.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d
https://github.com/ellite/Wallos/releases/tag/v4.6.2
https://github.com/ellite/Wallos/security/advisories/GHSA-qw24-3pxr-3j6r

History

Wed, 11 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wallosapp Wallosapp wallos
CPEs		cpe:2.3:a:wallosapp:wallos::::::::
Vendors & Products		Wallosapp Wallosapp wallos

Tue, 10 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ellite Ellite wallos
Vendors & Products		Ellite Ellite wallos

Sat, 07 Mar 2026 06:00:00 +0000

Type	Values Removed	Values Added
Description		Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, Wallos allows an authenticated user to delete avatar files uploaded by other users. The avatar deletion endpoint does not verify that the requested avatar belongs to the current user. As a result, any authenticated user who knows or can discover another user's uploaded avatar filename can delete that file. This issue has been patched in version 4.6.2.
Title		Wallos: Authenticated Missing Authorization Allows Deletion of Other Users’ Uploaded Avatars
Weaknesses		CWE-862
References		https://github.com/ellite/Wallos/commit/e8a513591dbbf885966e2ef55c38622785b9060d https://github.com/ellite/Wallos/releases/tag/v4.6.2 https://github.com/ellite/Wallos/security/advisories/GHSA-qw24-3pxr-3j6r
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Ellite Wallos

Wallosapp Wallos

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-07T05:41:54.644Z

Updated: 2026-03-10T17:58:23.693Z

Reserved: 2026-03-05T21:06:44.607Z

Link: CVE-2026-30842

Vulnrichment

Updated: 2026-03-10T17:50:40.601Z

NVD

Status : Analyzed

Published: 2026-03-07T06:16:11.763

Modified: 2026-03-11T18:06:58.190

Link: CVE-2026-30842

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object