CVE-2026-30839
Received Received - Intake

SSRF Vulnerability in Wallos testwebhooknotifications.php Allows Data Exposure

Vulnerability report for CVE-2026-30839, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-07

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in version 4.6.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-07
Last Modified
2026-03-11
Generated
2026-07-06
AI Q&A
2026-03-07
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wallosapp wallos to 4.6.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30839 is a Server-Side Request Forgery (SSRF) vulnerability in the Wallos application, specifically in the testwebhooknotifications.php endpoint prior to version 4.6.2.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the endpoint accepts a user-supplied URL parameter and executes a server-side HTTP request to that URL without validating whether the target IP address belongs to private or reserved IP ranges.'}, {'type': 'paragraph', 'content': "This lack of validation allows an authenticated attacker to craft requests that cause the server to make HTTP requests to internal network addresses or reserved IPs, potentially exposing sensitive internal data by returning the server's response to the attacker."}] [2]

Impact Analysis

This vulnerability can allow an authenticated attacker to perform SSRF attacks that read responses from internal network hosts.

  • Information disclosure: Attackers can access sensitive internal services and data that are normally protected from external access.
  • Access to cloud metadata services (e.g., 169.254.169.254), potentially exposing instance credentials or other sensitive cloud environment information.
  • Potential further exploitation by using the disclosed internal information to escalate privileges or move laterally within the network.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the `testwebhooknotifications.php` endpoint with crafted requests containing URLs pointing to internal or private IP addresses. An authenticated user can send POST requests with a `url` parameter targeting internal services to see if the server executes the request and returns the internal response.'}, {'type': 'paragraph', 'content': 'A practical detection method is to use curl or similar HTTP clients to send a POST request to the vulnerable endpoint with a URL parameter set to an internal IP, such as 127.0.0.1 or 169.254.169.254 (cloud metadata service). If the server responds with data from these internal addresses, the vulnerability is present.'}, {'type': 'list_item', 'content': 'Example curl command to test SSRF on the vulnerable endpoint:'}, {'type': 'list_item', 'content': "curl -X POST -d 'url=http://127.0.0.1:9999/' https://your-wallos-instance/testwebhooknotifications.php -b 'auth_cookies'"}, {'type': 'paragraph', 'content': 'Replace `https://your-wallos-instance` with your actual Wallos server URL and include authentication cookies or headers as required, since the vulnerability requires authentication.'}] [2]

Mitigation Strategies

The immediate and most effective mitigation is to upgrade Wallos to version 4.6.2 or later, where this SSRF vulnerability has been patched.

If upgrading immediately is not possible, restrict access to the `testwebhooknotifications.php` endpoint to trusted users only, and consider network-level controls to block outgoing requests from the Wallos server to internal IP ranges.

The patch in version 4.6.2 introduces an allowlist for local webhook notification URLs, validates and resolves URLs to prevent requests to private IP ranges, disables curl redirects, and binds resolved IPs to prevent DNS rebinding attacks.

  • Upgrade to Wallos v4.6.2 or later.
  • Restrict access to the vulnerable endpoint to authenticated and trusted users.
  • Implement network controls to block unauthorized outbound requests from the Wallos server to internal IP ranges.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30839. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart