CVE-2026-27479
Received Received - Intake
SSRF Vulnerability in Wallos Logo Upload Allows Internal Access

Publication date: 2026-02-21

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the request, but allows HTTP redirects (CURLOPT_FOLLOWLOCATION = true), enabling an attacker to bypass the IP validation and access internal resources, including cloud instance metadata endpoints. The getLogoFromUrl() function validates the URL by resolving the hostname and checking if the resulting IP is in a private or reserved range using FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE. However, the subsequent cURL request is configured with CURLOPT_FOLLOWLOCATION = true and CURLOPT_MAXREDIRS = 3, which means the request will follow HTTP redirects without re-validating the destination IP. This issue has been fixed in version 4.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-24
Generated
2026-05-07
AI Q&A
2026-02-21
EPSS Evaluated
2026-05-05
NVD
CVE-2026-27479
EUVD
EUVD-2026-7718
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wallosapp wallos to 4.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-27479 is a Server-Side Request Forgery (SSRF) vulnerability in the Wallos application (versions 4.6.0 and below) affecting the subscription and payment logo/icon upload functionality.

The vulnerability occurs because the application validates the IP address of the initially provided URL to ensure it is not within private or reserved IP ranges, but the subsequent cURL request follows HTTP redirects (up to 3) without re-validating the IP addresses of the redirected URLs.

This allows an attacker to bypass the IP validation by providing a URL that initially resolves to a public IP but redirects to internal or cloud metadata endpoints, such as AWS/GCP/Azure instance metadata services.

As a result, the attacker can make the server fetch internal resources and save the response as a logo image file, which can then be accessed through the application UI, effectively enabling data exfiltration from internal networks.


How can this vulnerability impact me? :

This vulnerability can have significant impacts including:

  • Exfiltration of sensitive cloud instance metadata such as IAM credentials, service account tokens, and managed identity tokens.
  • Unauthorized access to internal network resources, enabling internal network scanning and enumeration.
  • Blind SSRF attacks where data retrieved from internal services is saved as logo images and can be accessed via the application UI.
  • Potential compromise of confidentiality due to exposure of sensitive internal information.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusual HTTP requests or redirects initiated by the Wallos application, especially those targeting internal or cloud metadata IP addresses such as 169.254.169.254 or localhost addresses.

Since the vulnerability involves SSRF via the logo upload functionality, detection can include checking logs for outbound HTTP requests from the Wallos server that follow redirects to private or reserved IP ranges.

Suggested commands to detect potential exploitation attempts include:

  • Using network monitoring tools like tcpdump or Wireshark to capture outbound HTTP requests from the Wallos server and filter for requests to internal IP ranges (e.g., 169.254.169.254, 127.0.0.1, 192.168.x.x).
  • Example tcpdump command: tcpdump -i eth0 dst net 169.254.0.0/16 or dst net 127.0.0.0/8 or dst net 192.168.0.0/16 and port 80 or port 443
  • Checking application logs for requests to the subscription add endpoint containing URLs that redirect to internal IPs.
  • Using curl or similar tools to test the URL validation logic by submitting URLs that redirect to internal IPs and observing if the application follows redirects without re-validation.

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading the Wallos application to version 4.6.1 or later, which contains the fix for this SSRF vulnerability.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, apply the following mitigations:'}, {'type': 'list_item', 'content': 'Disable automatic following of HTTP redirects in the cURL requests by setting CURLOPT_FOLLOWLOCATION to false.'}, {'type': 'list_item', 'content': "Implement manual handling of redirects with validation of each redirected URL's IP address to ensure it is not within private or reserved IP ranges."}, {'type': 'list_item', 'content': 'Use CURLOPT_RESOLVE in cURL to pin the hostname to the validated IP address, preventing DNS rebinding attacks.'}, {'type': 'list_item', 'content': 'Set a reasonable timeout for cURL requests to avoid hanging requests.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict access to the subscription and payment logo upload functionality to trusted users only, as the vulnerability requires authenticated access.'}] [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart