CVE-2026-33401 Overview
CVE-2026-33401 is a Server-Side Request Forgery (SSRF) vulnerability affecting Wallos, an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, an incomplete security patch for CVE-2026-30840 left three critical attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated attacker can exploit these endpoints to access internal network services, cloud metadata endpoints, or localhost-bound services.
Critical Impact
Authenticated users can access internal network resources, cloud provider metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), and localhost-bound services through unprotected SSRF vectors, potentially leading to credential theft and lateral movement within cloud environments.
Affected Products
- Wallosapp Wallos versions prior to 4.7.0
- Self-hosted Wallos instances with AI integration enabled
- Deployments with notification features configured
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33401 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33401
Vulnerability Analysis
This SSRF vulnerability (CWE-918) stems from an incomplete security fix implemented in commit e8a513591. While the original patch addressed SSRF protection in notification test endpoints, it failed to extend the same protections to three additional user-controllable URL parameters. The vulnerability allows authenticated users to manipulate server-side requests to arbitrary destinations, including internal network addresses and cloud metadata services.
The attack surface is network-accessible and requires low authentication privileges. The primary impact is confidentiality compromise, as attackers can exfiltrate sensitive data from internal services and cloud provider metadata endpoints without requiring user interaction.
Root Cause
The root cause lies in inconsistent input validation across multiple endpoints that accept URL parameters. When the SSRF mitigation was applied to notification test endpoints, the developers overlooked similar URL-handling functionality in the AI Ollama host configuration, AI recommendations endpoint, and the notification cron job processing. Each of these endpoints accepts user-supplied URLs without proper validation to prevent requests to internal or restricted network addresses.
Attack Vector
The attack vector involves an authenticated user supplying a maliciously crafted URL to any of the three unprotected endpoints. The Wallos server then makes a request to the attacker-specified destination, effectively acting as a proxy. This enables attackers to:
- Probe internal networks - Map internal services and discover attack surfaces not directly accessible from the internet
- Access cloud metadata endpoints - Retrieve IAM credentials from AWS IMDSv1 (http://169.254.169.254/), GCP, or Azure IMDS services
- Interact with localhost services - Access administrative interfaces or databases bound only to localhost
The vulnerability is particularly dangerous in cloud-hosted deployments where metadata endpoints can expose temporary credentials with potentially broad permissions.
Detection Methods for CVE-2026-33401
Indicators of Compromise
- Unusual outbound HTTP requests from the Wallos server to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Requests targeting cloud metadata endpoints (169.254.169.254, metadata.google.internal)
- Anomalous activity in AI configuration or notification cron job logs
- HTTP requests to localhost addresses (127.0.0.1, ::1) from web application processes
Detection Strategies
- Monitor application logs for requests to the AI Ollama host endpoint, AI recommendations endpoint, and notification cron job with suspicious URL parameters
- Implement network-level monitoring for egress traffic to metadata IP ranges and internal subnets
- Review web server access logs for patterns indicating SSRF probing attempts
- Alert on HTTP responses containing cloud provider credential structures or internal service data
Monitoring Recommendations
- Deploy web application firewall rules to detect and block SSRF patterns in URL parameters
- Enable detailed logging for all endpoints that accept URL inputs
- Configure cloud provider IMDS to require session tokens (AWS IMDSv2) to mitigate metadata theft
How to Mitigate CVE-2026-33401
Immediate Actions Required
- Upgrade Wallos to version 4.7.0 or later immediately
- Review access logs for any exploitation attempts targeting the affected endpoints
- Rotate any credentials that may have been exposed through cloud metadata access
- Implement network segmentation to limit the Wallos server's ability to reach sensitive internal resources
Patch Information
The vulnerability has been patched in Wallos version 4.7.0. The fix is documented in commit e87387f0ebb540cd33e6dfda7181db9db650ecef. Organizations should update to the patched version and review the GitHub Security Advisory GHSA-r82v-p8cg-rgx3 for complete details.
Workarounds
- Disable AI integration features (Ollama host configuration and AI recommendations) until patching is possible
- Implement network-level controls to prevent the Wallos server from accessing cloud metadata endpoints and internal networks
- Use a reverse proxy with URL validation to filter requests containing internal IP addresses or metadata endpoint addresses
- Restrict authenticated user access to trusted personnel only until the patch is applied
# Example iptables rules to block metadata endpoint access from Wallos server
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 169.254.169.253 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
