The vulnerability CVE-2026-27479 in ellite Wallos (<=4.6.0) is a Server-Side Request Forgery (SSRF) issue rooted in improper handling of HTTP redirects during URL validation in the logo/icon upload functionality. Wallos attempts to prevent SSRF by resolving the hostname of the user-supplied URL and checking if the resolved IP address belongs to private or reserved IP ranges using PHP's FILTER_FLAG_NO_PRIV_RANGE and FILTER_FLAG_NO_RES_RANGE flags. However, the subsequent cURL request used to fetch the logo is configured with CURLOPT_FOLLOWLOCATION set to true and CURLOPT_MAXREDIRS set to 3, allowing the request to follow up to three HTTP redirects without revalidating the IP addresses of the redirected URLs. An attacker can exploit this by providing a URL that initially resolves to a valid public IP but redirects to internal IP addresses or cloud instance metadata endpoints (e.g., AWS, Azure, GCP metadata services). This bypasses the IP validation and allows the attacker to make the server perform unauthorized requests to internal resources, potentially leaking sensitive data such as credentials or configuration details. The vulnerability does not require user interaction but does require low-level privileges to upload logos. The issue was addressed in Wallos version 4.6.1 by disabling or properly handling redirects during URL fetching or by revalidating IPs after redirects. No known exploits are reported in the wild as of publication. The CVSS v3.1 base score is 7.7, reflecting network attack vector, low complexity, low privileges required, no user interaction, and high confidentiality impact with no integrity or availability impact.

This SSRF vulnerability can lead to unauthorized internal network access from the vulnerable Wallos server, potentially exposing sensitive internal services and cloud metadata endpoints. Attackers can leverage this to extract confidential information such as cloud instance credentials, internal APIs, or configuration data, which can facilitate further attacks like privilege escalation, lateral movement, or data exfiltration. Organizations running affected Wallos versions may face data breaches, loss of confidentiality, and increased risk of compromise of their cloud infrastructure. Since Wallos is a self-hosted personal subscription tracker, the impact may vary depending on the deployment environment, but any deployment within corporate or cloud environments is at risk. The vulnerability does not affect data integrity or availability directly but can be a stepping stone for more severe attacks. The ease of exploitation and the potential to access sensitive internal resources make this a significant threat for organizations relying on Wallos versions prior to 4.6.1.

To mitigate this vulnerability, organizations should immediately upgrade Wallos to version 4.6.1 or later where the issue is fixed. If upgrading is not immediately possible, administrators should disable or restrict the logo/icon upload functionality to trusted URLs only or disable HTTP redirects in the cURL requests by setting CURLOPT_FOLLOWLOCATION to false. Additionally, implementing network-level controls such as firewall rules to restrict outbound HTTP requests from the Wallos server to internal IP ranges and cloud metadata endpoints can reduce risk. Monitoring and logging outbound HTTP requests from Wallos can help detect exploitation attempts. Employing web application firewalls (WAFs) with SSRF detection rules may provide additional protection. Finally, reviewing cloud instance metadata service access policies and using metadata service protection mechanisms (e.g., AWS IMDSv2) can limit the impact of SSRF attacks targeting cloud environments.