CVE-2026-41688
Deferred Deferred - Pending Action
SSRF via DNS Rebinding in Wallos Subscription Tracker

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the incomplete SSRF fix in Wallos validates webhook URLs via gethostbyname() but passes the original hostname to cURL without CURLOPT_RESOLVE pinning on 10 of 11 outbound HTTP endpoints, leaving a DNS rebinding TOCTOU window. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41688
EUVD
EUVD-2026-28384
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ellite wallos 4.8.4
ellite wallos to 4.8.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this SSRF vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-41688 is a Server-Side Request Forgery (SSRF) vulnerability in Wallos, an open-source personal subscription tracker. The vulnerability arises because the application performs hostname validation using gethostbyname() to check if a URL resolves to a private or reserved IP address, but then makes HTTP requests using the original hostname without pinning the resolved IP address via cURL's CURLOPT_RESOLVE option on most endpoints.

This creates a Time-of-Check-Time-of-Use (TOCTOU) window where an attacker can perform a DNS rebinding attack, changing the IP address between validation and the actual request, potentially redirecting requests to internal or unauthorized IP addresses.

Additionally, the vulnerability includes an IPv6-mapped CGNAT bypass due to incomplete IP address checks, allowing attackers to circumvent protections designed for IPv4 addresses.

Impact Analysis

This vulnerability can allow an attacker to exploit the DNS rebinding TOCTOU window to make the Wallos application send HTTP requests to internal or otherwise restricted network addresses.

Such unauthorized requests could expose internal services or data that are not intended to be accessible externally, potentially leading to information disclosure or unauthorized interactions with internal systems.

Because the vulnerability affects 10 out of 11 outbound HTTP endpoints, it presents a broad attack surface within the application.

Detection Guidance

This vulnerability involves a DNS rebinding TOCTOU window in Wallos where the hostname is validated but the actual HTTP request uses the original hostname without pinning the resolved IP, allowing an attacker to redirect requests to internal IPs.

To detect exploitation attempts or the presence of this vulnerability on your system or network, you can monitor outbound HTTP requests from Wallos to the vulnerable endpoints and check for unusual DNS resolutions or requests to internal IP addresses.

  • Inspect network traffic for DNS queries followed by HTTP requests where the resolved IP changes between validation and use.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture DNS and HTTP traffic related to Wallos endpoints such as 'endpoints/ai/fetch_models.php' and 'endpoints/cronjobs/sendnotifications.php'.
  • Run commands like `tcpdump -i <interface> port 53 or port 80 or port 443` to capture DNS and HTTP traffic.
  • Check application logs for webhook URL requests and verify if the resolved IP addresses correspond to expected external IPs or suspicious internal IPs.

Since the vulnerability is related to DNS rebinding and TOCTOU issues, there is no direct command to detect it automatically, but monitoring DNS resolution consistency and outbound requests to internal IPs can help identify potential exploitation.

Mitigation Strategies

Immediate mitigation steps include restricting or monitoring outbound HTTP requests from Wallos to prevent DNS rebinding attacks and limiting access to internal network addresses.

  • Apply network-level controls such as firewall rules to block Wallos from making HTTP requests to internal IP ranges.
  • Monitor and audit webhook URLs configured in Wallos to ensure they do not point to internal or private IP addresses.
  • If possible, modify the Wallos source code to add `CURLOPT_RESOLVE` pinning on all outbound HTTP endpoints to ensure the IP address used in the HTTP request matches the validated IP, similar to the one endpoint (`generate_recommendations.php`) that already implements this.
  • Avoid using vulnerable versions (4.8.4 and prior) in production environments until an official patch is released.

At the time of publication, no public patches are available, so these mitigations focus on limiting exposure and preventing exploitation through network and configuration controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41688. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart