CVE-2026-41688: Wallos SSRF Bypass via DNS Rebinding

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
CVE-2026-41688: Wallos SSRF Bypass via DNS Rebinding

The National Vulnerability Database has disclosed CVE-2026-41688, a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting Wallos, an open-source personal subscription tracker. Versions 4.8.4 and prior are vulnerable. This flaw stems from an incomplete fix where Wallos validates webhook URLs using gethostbyname() but then passes the original hostname to cURL without CURLOPT_RESOLVE pinning for 10 out of 11 outbound HTTP endpoints.

This creates a classic Time-of-Check to Time-of-Use (TOCTOU) window, enabling DNS rebinding attacks. An attacker can manipulate DNS responses to bypass initial validation and direct Wallos to internal network resources, potentially leading to information disclosure or further internal network compromise. The National Vulnerability Database indicates a CVSSv3.1 score of 7.7 (High), with a vector of AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, highlighting the network accessibility and high confidentiality impact.

For defenders, this means Wallos instances, particularly those exposed to untrusted users or configured with webhook functionality, are at risk. The attacker’s calculus here is clear: leverage the TOCTOU race condition to pivot from an apparently safe external URL to an internal IP address after the initial DNS lookup. At the time of this publication, no public patches are available, leaving affected instances exposed.

What This Means For You

  • If your organization or team uses Wallos for subscription tracking, immediately assess your version. Given the lack of a public patch, consider isolating Wallos instances, restricting network access, and disabling webhook functionality until a fix is released. Audit logs for any suspicious outbound connections from your Wallos deployments.

Related ATT&CK Techniques

T1595.002 Scanning for Web Servers Reconnaissance T1071.001 Web Protocol Command and Control T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-41688: Wallos SSRF Bypass via DNS Rebinding

Sigma YAML — free preview 
title: CVE-2026-41688: Wallos SSRF Bypass via DNS Rebinding
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
  Detects POST requests to the Wallos /api/v1/webhooks endpoint with a 200 status code, indicative of potential SSRF exploitation via DNS rebinding as described in CVE-2026-41688. The vulnerability allows an attacker to bypass SSRF protections by manipulating DNS resolution after the initial hostname validation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41688/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/webhooks'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41688 SSRF Wallos versions 4.8.4 and prior
CVE-2026-41688 SSRF Incomplete SSRF fix via gethostbyname() without CURLOPT_RESOLVE pinning
CVE-2026-41688 SSRF DNS rebinding TOCTOU window on 10 of 11 outbound HTTP endpoints

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 18:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-44264 — Weblate is a web based localization tool. Prior to version

CVE-2026-44264 — Weblate is a web based localization tool. Prior to version 5.17.1, the Markdown renderer used in user comments and other user-provided content didn't...

vulnerabilityCVEmedium-severitycwe-80
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs

CVE-2026-44263 — Weblate is a web based localization tool. Prior to version

CVE-2026-44263 — Weblate is a web based localization tool. Prior to version 5.17.1, the screenshots, tasks, and component link API allowed for the enumeration of...

vulnerabilityCVEmedium-severitycwe-203
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 6 Sigma

gnutls CVE-2026-42011: Certificate Validation Bypass Poses MITM Risk

CVE-2026-42011 — A flaw was found in gnutls. This vulnerability occurs because permitted name constraints were incorrectly ignored when previous Certificate Authorities (CAs) only had...

vulnerabilityCVEhigh-severitycwe-295
/SCW Vulnerability Desk /HIGH /7.4 /⚑ 2 IOCs