CVE-2026-27479
Published: 21 February 2026
Summary
CVE-2026-27479 is a high-severity SSRF (CWE-918) vulnerability in Wallosapp Wallos. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1522); ranked at the 13.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces rigorous validation of user-supplied URLs, including post-redirect destinations, to block SSRF bypasses in the logo upload function.
Directly remediates the SSRF vulnerability by identifying, patching, and verifying the fix as implemented in Wallos version 4.6.1.
Monitors and controls application outbound network communications at boundaries to restrict access to internal resources like cloud metadata endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF bypass via unvalidated redirects directly enables querying internal cloud instance metadata endpoints (T1522) to obtain credentials/tokens (T1552.005).
NVD Description
Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the…
more
request, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true), enabling an attacker to bypass the IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function validates the URL by resolving the hostname and checking if the resulting IP is in a private or reserved range using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION = true and CURLOPT_MAXREDIRS = 3, which means the request will follow HTTP redirects without re-validating the destination IP. This issue has been fixed in version 4.6.1.
Deeper analysisAI
Wallos, an open-source self-hostable personal subscription tracker, in versions 4.6.0 and below, contains CVE-2026-27479, a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918. The flaw resides in the subscription and payment logo/icon upload functionality, specifically the getLogoFromUrl() function. This function validates the provided URL by resolving its hostname and checking the resulting IP address against private or reserved ranges using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION set to true and CURLOPT_MAXREDIRS to 3, permitting HTTP redirects to destinations without re-validating their IP addresses.
The vulnerability can be exploited by an authenticated attacker with low privileges (PR:L) over the network (AV:N), requiring low attack complexity (AC:L) and no user interaction (UI:N). By supplying a malicious URL that initially resolves to a public IP but redirects to internal resources, the attacker bypasses validation, enabling access to internal services such as cloud instance metadata endpoints. This results in high confidentiality impact (C:H) with a changed scope (S:C) and no integrity or availability effects (I:N/A:N), yielding a CVSS v3.1 base score of 7.7.
Mitigation is addressed in Wallos version 4.6.1, which fixes the SSRF bypass. Security practitioners are advised to upgrade immediately. Details are provided in the GitHub security advisory (GHSA-fgmf-7g5v-jmjg), the v4.6.1 release notes, and the patching commit (76a53df9cb4658123b8f0b7cf1826f1ba7d1c960).
Details
- CWE(s)