CVE-2026-41689
Deferred Deferred - Pending Action
Remote Code Execution via Webhook in Wallos

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-17
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41689
EUVD
EUVD-2026-28385
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
ellite wallos to 4.8.0 (exc)
ellite wallos to 4.8.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-41689 is a vulnerability in Wallos, an open-source personal subscription tracker. In versions 4.8.4 and earlier, the webhook notification feature improperly shares a global allowlist of internal services configured by administrators with all logged-in users.

This flaw allows any authenticated user, even with low privileges, to fully control webhook requests including the URL, headers, and body. They can send arbitrary HTTP requests to internal services that are supposed to be restricted.

If the targeted internal service exposes deployment or execution APIs, this can lead to remote code execution (RCE) on that adjacent service, although this depends on the specific target service.

Impact Analysis

This vulnerability can allow a low-privilege user to send unauthorized requests to internal automation services that are allowlisted by an administrator.

Such unauthorized access can lead to information disclosure, manipulation of internal services, or potentially remote code execution if the internal service exposes deployment or execution APIs.

The impact includes compromise of internal systems, disruption of automation workflows, and escalation of privileges through adjacent service exploitation.

Detection Guidance

Detection of this vulnerability involves monitoring for unauthorized or unusual HTTP requests sent from authenticated users to internal services that are allowlisted for webhook notifications.

Since any normal user can configure webhook URLs, headers, and payloads, you can look for HTTP requests originating from Wallos users targeting internal automation services such as Node-RED or Home Assistant.

Commands to detect such activity might include network traffic inspection tools or logs analysis to identify requests with unusual URLs or headers.

  • Use network monitoring tools like tcpdump or Wireshark to capture HTTP requests from Wallos server to internal services.
  • Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443 and src host <Wallos_IP>'
  • Check Wallos application logs for webhook notification requests configured by non-administrator users.
  • Use grep or similar tools to search logs for suspicious webhook URLs or payloads.
Mitigation Strategies

Immediate mitigation steps include restricting access to the webhook notification allowlist and limiting which internal services are allowlisted.

Since there are no patches available as of the advisory date, administrators should carefully review and minimize the internal services added to the allowlist.

Additionally, restrict user permissions to prevent normal users from configuring webhook URLs, headers, and payloads if possible.

Monitoring and alerting on unusual webhook activity can also help detect exploitation attempts early.

If feasible, isolate internal automation services from the Wallos server or implement network segmentation to reduce the risk of SSRF exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart