CVE-2026-41689— Wallos: Shared local webhook allowlist lets low-privilege users send arbitrary requests to allowlisted internal services
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-41689
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Wallos: Shared local webhook allowlist lets low-privilege users send arbitrary requests to allowlisted internal services
Source: NVD (National Vulnerability Database)
Vulnerability Description
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wallos 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Wallos是Miguel Ribeiro个人开发者的一个开源个人订阅跟踪器。 Wallos 4.8.4及之前版本存在安全漏洞,该漏洞源于Webhook通知功能重用管理员配置的本地目标白名单,可能导致普通用户控制Webhook URL、标头和主体,向白名单内部自动化服务发送服务器端请求。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-41689
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-41689
请登录查看更多情报信息。
Same Patch Batch · ellite · 2026-05-07 · 3 CVEs total
| CVE-2026-41688 | 7.7 HIGH | Incomplete fix for CVE-2026-33399: SSRF in Wallos |
| CVE-2026-41687 | 4.3 MEDIUM | Wallos: SSRF CGNAT Bypass in subscription/payments Logo URL — is_cgnat_ip() Not Used in In |
IV. Related Vulnerabilities
Same product: Wallos
- CVE-2026-41688
Incomplete fix for CVE-2026-33399: SSRF in Wallos - CVE-2026-41687
Wallos: SSRF CGNAT Bypass in subscription/payments Logo URL - CVE-2026-33417
Wallos: Password Reset Tokens Never Expire - CVE-2026-33401
Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and n - CVE-2026-33400
Wallos: Stored cross-site scripting (XSS) vulnerability in t
Same vendor: ellite
- CVE-2026-41688
Incomplete fix for CVE-2026-33399: SSRF in Wallos - CVE-2026-41687
Wallos: SSRF CGNAT Bypass in subscription/payments Logo URL - CVE-2026-33417
Wallos: Password Reset Tokens Never Expire - CVE-2026-33401
Wallos: Incomplete fix for CVE-2026-30840 - SSRF in AI and n - CVE-2026-33400
Wallos: Stored cross-site scripting (XSS) vulnerability in t
Same weakness: CWE-863
- CVE-2026-42571
Privilege Escalation Attack affecting Pelican Web UI - CVE-2025-15633
HCL BigFix WebUI is affected by an improper authorization vu - CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2025-66170
Apache CloudStack: Any user can list backups that they shoul - CVE-2026-41903
FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifyi
V. Comments for CVE-2026-41689
No comments yet