CVE-2026-30839 is a Server-Side Request Forgery (SSRF) vulnerability categorized under CWE-918, affecting ellite's Wallos software versions prior to 4.6.2. Wallos is an open-source, self-hostable personal subscription tracker. The vulnerability exists in the testwebhooknotifications.php script, which fails to validate the target URL against private or reserved IP address ranges. This lack of validation allows an attacker to craft requests that force the server to initiate HTTP requests to arbitrary internal or external resources, including those on private networks. Because the server returns the response from these requests to the attacker, this can lead to unauthorized information disclosure from internal systems that are otherwise inaccessible externally. The vulnerability does not require user interaction but does require the attacker to have low privileges on the server (PR:L). The attack vector is network-based (AV:N), and the attack complexity is low (AC:L). The vulnerability does not require authentication (AT:N), and there is no impact on integrity, availability, or confidentiality beyond the limited information disclosure (VC:L). The issue was patched in Wallos version 4.6.2 by adding proper validation to block requests targeting private or reserved IP ranges. No known exploits are currently reported in the wild, but the vulnerability poses a risk to organizations running outdated versions of Wallos, especially if the vulnerable endpoint is exposed to untrusted networks.

The primary impact of this SSRF vulnerability is unauthorized information disclosure from internal or protected network resources. Attackers can leverage the vulnerability to access internal services, metadata endpoints, or other sensitive resources that are not directly accessible from the internet. This can lead to reconnaissance that facilitates further attacks such as privilege escalation, lateral movement, or data exfiltration. Since Wallos is a self-hosted subscription tracker, organizations using it may expose internal network infrastructure details or sensitive subscription data. The vulnerability could also be used to bypass firewall rules or access cloud provider metadata services if Wallos is hosted in cloud environments, potentially leading to credential theft or further compromise. Although the CVSS score is medium, the risk increases if the vulnerable endpoint is exposed to the internet or untrusted networks. Organizations with Wallos instances accessible externally or with weak access controls are at higher risk. The lack of known exploits reduces immediate threat but does not eliminate the potential for future exploitation.

1. Upgrade Wallos to version 4.6.2 or later immediately to apply the official patch that validates URLs against private and reserved IP ranges. 2. Restrict access to the testwebhooknotifications.php endpoint by implementing network-level controls such as firewalls or VPNs to limit usage to trusted users or systems only. 3. Implement web application firewall (WAF) rules to detect and block SSRF attack patterns targeting Wallos endpoints. 4. Monitor logs for unusual outbound HTTP requests originating from the Wallos server, especially those targeting internal IP ranges or unexpected external domains. 5. Conduct internal network segmentation to limit the impact of SSRF by isolating critical services and metadata endpoints from the Wallos host. 6. Review and harden server permissions to ensure that only authorized users have access to Wallos administrative functions, minimizing the risk of low-privilege exploitation. 7. Educate administrators about the risks of SSRF and encourage regular software updates and security audits for self-hosted applications.