Description
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches.
Published: 2026-05-07
Score: 6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw permits any authenticated, non‑administrative user to craft arbitrary webhook requests that are executed by the Wallos server, targeting any service listed in the shared local‑target allowlist. Because the allowlist is common to all users, a normal account can issue requests to internal endpoints that expose management or execution functionality. If such a downstream service provides deployment or command execution APIs, the attacker’s crafted webhook can trigger those APIs, potentially leading to remote code execution on the internal host. The vulnerability is a classic server‑side request forgery (CWE‑918) combined with a privilege‑level mis‑configuration (CWE‑863).

Affected Systems

Wallos versions 4.8.4 and earlier, provided by the vendor ellite. The product is an open‑source subscription‑tracking application; no other specific product lines are affected.

Risk and Exploitability

The CVSS score of 6 indicates medium severity. No EPSS value is available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers need only a regular user account. The exploitation path is straightforward: select a webhook target from the allowlist, configure arbitrary headers, body and URL, and send the request. Successful exploitation requires that the target internal service have vulnerable APIs; otherwise the impact is limited to unauthorized information disclosure or manipulation within the service.

Generated by OpenCVE AI on May 7, 2026 at 15:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or lock the webhook feature to administrators only, or delete the global allowlist when not required.
  • Apply network segmentation to block Wallos from reaching internal services that expose deployment or execution endpoints.
  • Review and harden any internal services that are allowed in the webhook allowlist, ensuring they do not expose APIs that could be abused for code execution.
  • Keep Wallos updated; monitor the vendor’s repository for a patch that limits webhook usage to authenticated administrators only.

Generated by OpenCVE AI on May 7, 2026 at 15:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Ellite
Ellite wallos
Vendors & Products Ellite
Ellite wallos

Thu, 07 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches.
Title Wallos: Shared local webhook allowlist lets low-privilege users send arbitrary requests to allowlisted internal services
Weaknesses CWE-863
CWE-918
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Ellite Wallos
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:43:47.455Z

Reserved: 2026-04-22T03:53:24.407Z

Link: CVE-2026-41689

cve-icon Vulnrichment

Updated: 2026-05-07T14:43:42.970Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T15:16:09.387

Modified: 2026-05-07T16:16:20.623

Link: CVE-2026-41689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T15:30:05Z

Weaknesses