CVE-2026-41688
SSRF via DNS Rebinding in Wallos Subscription Tracker
Publication date: 2026-05-07
Last updated on: 2026-05-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ellite | wallos | 4.8.4 |
| ellite | wallos | to 4.8.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this SSRF vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-41688 is a Server-Side Request Forgery (SSRF) vulnerability in Wallos, an open-source personal subscription tracker. The vulnerability arises because the application performs hostname validation using gethostbyname() to check if a URL resolves to a private or reserved IP address, but then makes HTTP requests using the original hostname without pinning the resolved IP address via cURL's CURLOPT_RESOLVE option on most endpoints.
This creates a Time-of-Check-Time-of-Use (TOCTOU) window where an attacker can perform a DNS rebinding attack, changing the IP address between validation and the actual request, potentially redirecting requests to internal or unauthorized IP addresses.
Additionally, the vulnerability includes an IPv6-mapped CGNAT bypass due to incomplete IP address checks, allowing attackers to circumvent protections designed for IPv4 addresses.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to exploit the DNS rebinding TOCTOU window to make the Wallos application send HTTP requests to internal or otherwise restricted network addresses.
Such unauthorized requests could expose internal services or data that are not intended to be accessible externally, potentially leading to information disclosure or unauthorized interactions with internal systems.
Because the vulnerability affects 10 out of 11 outbound HTTP endpoints, it presents a broad attack surface within the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a DNS rebinding TOCTOU window in Wallos where the hostname is validated but the actual HTTP request uses the original hostname without pinning the resolved IP, allowing an attacker to redirect requests to internal IPs.
To detect exploitation attempts or the presence of this vulnerability on your system or network, you can monitor outbound HTTP requests from Wallos to the vulnerable endpoints and check for unusual DNS resolutions or requests to internal IP addresses.
- Inspect network traffic for DNS queries followed by HTTP requests where the resolved IP changes between validation and use.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture DNS and HTTP traffic related to Wallos endpoints such as 'endpoints/ai/fetch_models.php' and 'endpoints/cronjobs/sendnotifications.php'.
- Run commands like `tcpdump -i <interface> port 53 or port 80 or port 443` to capture DNS and HTTP traffic.
- Check application logs for webhook URL requests and verify if the resolved IP addresses correspond to expected external IPs or suspicious internal IPs.
Since the vulnerability is related to DNS rebinding and TOCTOU issues, there is no direct command to detect it automatically, but monitoring DNS resolution consistency and outbound requests to internal IPs can help identify potential exploitation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or monitoring outbound HTTP requests from Wallos to prevent DNS rebinding attacks and limiting access to internal network addresses.
- Apply network-level controls such as firewall rules to block Wallos from making HTTP requests to internal IP ranges.
- Monitor and audit webhook URLs configured in Wallos to ensure they do not point to internal or private IP addresses.
- If possible, modify the Wallos source code to add `CURLOPT_RESOLVE` pinning on all outbound HTTP endpoints to ensure the IP address used in the HTTP request matches the validated IP, similar to the one endpoint (`generate_recommendations.php`) that already implements this.
- Avoid using vulnerable versions (4.8.4 and prior) in production environments until an official patch is released.
At the time of publication, no public patches are available, so these mitigations focus on limiting exposure and preventing exploitation through network and configuration controls.