CVE-2026-33399
Published: 24 March 2026
Summary
CVE-2026-33399 is a high-severity SSRF (CWE-918) vulnerability in Wallosapp Wallos. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of webhook URL inputs on save* endpoints to block internal/private IP addresses, addressing the root cause of the incomplete SSRF protection.
Enforces boundary protection to monitor and control outbound communications from the application server, blocking requests to unauthorized internal IPs during cron job execution.
Enables monitoring of system and network activity to identify anomalous connections to internal resources triggered by the SSRF-vulnerable cron job.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing app (post-auth save* endpoints) directly enables T1190 exploitation for internal network access; cron-driven requests to arbitrary private IPs/ports facilitate T1046 Network Service Discovery and T1018 Remote System Discovery.
NVD Description
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding…
more
save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.
Deeper analysisAI
CVE-2026-33399 is a server-side request forgery (SSRF) vulnerability affecting Wallos, an open-source, self-hostable personal subscription tracker, in versions prior to 4.7.0. It stems from an incomplete fix for previous SSRF issues (CVE-2026-30839 and CVE-2026-30840) implemented in version 4.6.2. While the validate_webhook_url_for_ssrf() protection was added to test* notification endpoints, it was not applied to the corresponding save* endpoints. This allows an authenticated user to save an internal or private IP address as a notification URL. When the cron job sendnotifications.php executes, it sends a request to that internal IP without SSRF validation. The vulnerability is rated 7.7 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-918: Server-Side Request Forgery.
An authenticated user with low privileges can exploit this by submitting a malicious internal or private IP address via the save* notification endpoints. No user interaction is required beyond authentication, and exploitation occurs automatically when the sendnotifications.php cron job runs, forging requests from the server to arbitrary internal services. Attackers can achieve high-impact confidentiality violations by tricking the Wallos server into accessing and potentially leaking data from internal networks, with the changed scope amplifying the effect across security boundaries.
The GitHub security advisory (GHSA-mfjc-3258-cq3j) and the patching commit (e87387f0ebb540cd33e6dfda7181db9db650ecef) confirm that the issue is fully addressed in Wallos version 4.7.0, where SSRF validation is extended to the save* endpoints. Security practitioners should upgrade to 4.7.0 or later and review cron job configurations to mitigate exposure.
Details
- CWE(s)