Cyber Resilience

CVE-2026-33399

HighPublic PoC

Published: 24 March 2026

Published
24 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0004 14.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33399 is a high-severity SSRF (CWE-918) vulnerability in Wallosapp Wallos. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-33399 is a server-side request forgery (SSRF) vulnerability affecting Wallos, an open-source, self-hostable personal subscription tracker, in versions prior to 4.7.0. It stems from an incomplete fix for previous SSRF issues (CVE-2026-30839 and CVE-2026-30840) implemented in version 4.6.2. While the validate_webhook_url_for_ssrf() protection was added to test* notification endpoints, it was not applied to the corresponding save* endpoints. This allows an authenticated user to save an internal or private IP address as a notification URL. When the cron job sendnotifications.php executes, it sends a request to that internal IP without SSRF validation. The vulnerability is rated 7.7 on the CVSS 3.1 scale (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) and maps to CWE-918: Server-Side Request Forgery.

An authenticated user with low privileges can exploit this by submitting a malicious internal or private IP address via the save* notification endpoints. No user interaction is required beyond authentication, and exploitation occurs automatically when the sendnotifications.php cron job runs, forging requests from the server to arbitrary internal services. Attackers can achieve high-impact confidentiality violations by tricking the Wallos server into accessing and potentially leaking data from internal networks, with the changed scope amplifying the effect across security boundaries.

The GitHub security advisory (GHSA-mfjc-3258-cq3j) and the patching commit (e87387f0ebb540cd33e6dfda7181db9db650ecef) confirm that the issue is fully addressed in Wallos version 4.7.0, where SSRF validation is extended to the save* endpoints. Security practitioners should upgrade to 4.7.0 or later and review cron job configurations to mitigate exposure.

EU & UK References

Vulnerability details

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the SSRF fix applied in version 4.6.2 for CVE-2026-30839 and CVE-2026-30840 is incomplete. The validate_webhook_url_for_ssrf() protection was added to the test* notification endpoints but not to the corresponding…

more

save* endpoints. An authenticated user can save an internal/private IP address as a notification URL, and when the cron job sendnotifications.php executes, the request is sent to the internal IP without any SSRF validation. This issue has been patched in version 4.7.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
T1018 Remote System Discovery Discovery
Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system.
Why these techniques?

SSRF in public-facing app (post-auth save* endpoints) directly enables T1190 exploitation for internal network access; cron-driven requests to arbitrary private IPs/ports facilitate T1046 Network Service Discovery and T1018 Remote System Discovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33407Same product: Wallosapp Wallos
CVE-2026-27479Same product: Wallosapp Wallos
CVE-2026-30828Same product: Wallosapp Wallos
CVE-2026-33417Same product: Wallosapp Wallos
CVE-2026-3052Shared CWE-918
CVE-2026-4200Shared CWE-918
CVE-2024-13923Shared CWE-918
CVE-2025-1833Shared CWE-918
CVE-2026-33321Shared CWE-918
CVE-2026-7049Shared CWE-918

Affected Assets

wallosapp
wallos
≤ 4.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of webhook URL inputs on save* endpoints to block internal/private IP addresses, addressing the root cause of the incomplete SSRF protection.

prevent

Enforces boundary protection to monitor and control outbound communications from the application server, blocking requests to unauthorized internal IPs during cron job execution.

detect

Enables monitoring of system and network activity to identify anomalous connections to internal resources triggered by the SSRF-vulnerable cron job.

References