Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by supplying a crafted URL to any of these endpoints. This issue has been patched in version 4.7.0.
Published: 2026-03-24
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Side Request Forgery exposing internal services
Action: Patch Now
AI Analysis

Impact

The vulnerability originates from an incomplete patch that left three SSRF vectors unprotected within Wallos. An authenticated user can supply a crafted URL to the AI Ollama host parameter, the AI recommendations endpoint, or the notification cron job, enabling them to force the server to resolve and contact arbitrary internal or cloud metadata services. This can expose sensitive environment data such as instance metadata, credentials or internal service traffic, compromising confidentiality and potentially facilitating lateral movement. The bug aligns with the standard SSRF weakness identified by CWE‑918.

Affected Systems

Wallos, an open‑source subscription tracker developed by ellite, is affected. Versions of the application prior to 4.7.0 are vulnerable because the SSRF guard was not applied to the three mentioned endpoints. The product is listed under the wallosapp:wallos CPE string. Any deployment of Wallos before the 4.7.0 release, especially when exposed to authenticated users, falls into risk.

Risk and Exploitability

The assessed CVSS score is 7.1, indicating a high severity impact, while the EPSS score of less than 1% and absence from the CISA KEV list suggest a lower current exploit probability. Nevertheless, because the flaw allows direct internal network access from an authenticated context, organizations should treat it as a moderate to high risk. Once the firmware is updated, the risk is mitigated; before that, limiting the scope of authenticated access or blocking the vulnerable endpoints will reduce exposure.

Generated by OpenCVE AI on March 26, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wallos to version 4.7.0 or later.

Generated by OpenCVE AI on March 26, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Wallosapp
Wallosapp wallos
CPEs cpe:2.3:a:wallosapp:wallos:*:*:*:*:*:*:*:*
Vendors & Products Wallosapp
Wallosapp wallos
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by supplying a crafted URL to any of these endpoints. This issue has been patched in version 4.7.0.
Title Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and notification endpoints bypass ssrf_helper.php
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ellite Wallos
Wallosapp Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:11:38.820Z

Reserved: 2026-03-19T17:02:34.170Z

Link: CVE-2026-33401

cve-icon Vulnrichment

Updated: 2026-03-24T18:11:30.124Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:11.467

Modified: 2026-03-26T20:49:04.470

Link: CVE-2026-33401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:49Z

Weaknesses