CVE-2026-33407 Overview
CVE-2026-33407 is a Server-Side Request Forgery (SSRF) vulnerability [CWE-918] in Wallos, an open-source self-hostable personal subscription tracker. The flaw exists in the endpoints/logos/search.php script, which accepts HTTP_PROXY and HTTPS_PROXY environment variables without validation. The server also performs DNS resolution on attacker-controlled search terms, enabling outbound requests to arbitrary domains. The maintainer patched the issue in version 4.7.0.
Critical Impact
Attackers can hijack the application proxy configuration and coerce the Wallos backend into issuing requests to internal services, cloud metadata endpoints, or attacker-controlled infrastructure.
Affected Products
- Wallosapp Wallos prior to version 4.7.0
- Self-hosted Wallos deployments exposing the endpoints/logos/search.php endpoint
- All container and bare-metal installations sharing the vulnerable codebase
Discovery Timeline
- 2026-03-24 - CVE-2026-33407 published to the National Vulnerability Database (NVD)
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33407
Vulnerability Analysis
Wallos exposes a logo search endpoint at endpoints/logos/search.php that issues outbound HTTP requests to fetch brand assets. The endpoint reads proxy configuration from the HTTP_PROXY and HTTPS_PROXY environment variables without any validation or allow-listing. When the request handler resolves a user-supplied search term, it performs DNS lookups against attacker-controlled input. Combined, these two behaviors allow an unauthenticated network attacker to redirect server-issued traffic through a proxy of their choosing and target arbitrary hostnames.
The vulnerability is reachable over the network without authentication or user interaction. Because the server initiates the request, network controls that protect internal services from external clients do not apply. Attackers can pivot to cloud metadata services, internal administrative interfaces, or other services bound to loopback or private address ranges.
Root Cause
The root cause is missing input validation on both proxy environment variables and user-supplied search terms passed to the outbound HTTP client. The endpoint trusts process environment for proxy routing decisions and trusts request parameters for destination resolution. No allow-list, scheme restriction, or address filtering blocks requests targeting private or link-local ranges.
Attack Vector
An attacker sends a crafted request to endpoints/logos/search.php with a search term that resolves to an internal host. If the deployment honors HTTP_PROXY or HTTPS_PROXY values controllable through deployment configuration, application hosting platforms, or upstream request headers respected by the runtime, the attacker can also reroute the outbound traffic to capture or manipulate it. The patch in version 4.7.0 removes reliance on the unvalidated proxy variables and constrains outbound destinations. Refer to the GitHub Security Advisory GHSA-hhjq-82f8-m6rc and the GitHub Commit Changes for the precise code changes.
Detection Methods for CVE-2026-33407
Indicators of Compromise
- Outbound connections from the Wallos host to internal RFC1918, loopback, or cloud metadata addresses such as 169.254.169.254
- DNS queries originating from the Wallos process for hostnames matching attacker-supplied search terms rather than legitimate logo CDN domains
- Unexpected HTTP_PROXY or HTTPS_PROXY values present in the Wallos process environment
- Access log entries hitting endpoints/logos/search.php from unauthenticated sources with unusual query parameters
Detection Strategies
- Inspect web server access logs for high-volume or anomalous requests to endpoints/logos/search.php
- Correlate web requests to the endpoint with outbound network flows that target non-CDN destinations
- Audit the Wallos runtime environment to confirm proxy variables are unset or pinned to known-good values
Monitoring Recommendations
- Forward Wallos web and process telemetry to a centralized logging platform for correlation
- Alert on egress connections from the Wallos host to private network ranges or cloud instance metadata services
- Monitor for new or modified environment variables on the Wallos workload using host integrity tooling
How to Mitigate CVE-2026-33407
Immediate Actions Required
- Upgrade Wallos to version 4.7.0 or later on all self-hosted instances
- Remove HTTP_PROXY and HTTPS_PROXY from the Wallos process environment unless explicitly required
- Restrict egress from the Wallos host using a firewall policy that blocks RFC1918 and link-local destinations
- Place the application behind an authenticated reverse proxy to limit unauthenticated reach to endpoints/logos/search.php
Patch Information
The maintainer fixed CVE-2026-33407 in Wallos version 4.7.0. The corrective change is documented in the GitHub Commit Changes and the GitHub Security Advisory GHSA-hhjq-82f8-m6rc. Operators running container images should pull the 4.7.0 tag or later and redeploy.
Workarounds
- Block public access to endpoints/logos/search.php at the reverse proxy until upgrade is possible
- Deny egress traffic from the Wallos workload to internal subnets and metadata endpoints
- Run Wallos in a network namespace that lacks routes to sensitive internal services
# Example egress restriction blocking metadata and private ranges from the Wallos host
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
