CVE-2026-33399 is a Server-Side Request Forgery (SSRF) vulnerability in ellite's Wallos, an open-source personal subscription tracker. The flaw exists because the SSRF mitigation introduced in version 4.6.2 was incomplete: the function validate_webhook_url_for_ssrf() was applied only to test notification endpoints but not to the save notification endpoints. Consequently, an authenticated user can register internal or private IP addresses as notification URLs. When the scheduled cron job sendnotifications.php executes, it sends HTTP requests to these attacker-controlled internal addresses without any SSRF validation, enabling potential unauthorized access to internal network services. The vulnerability affects all versions prior to 4.7.0, where the issue was fully patched. The CVSS 3.1 score of 7.7 reflects a high-severity vulnerability with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality with a scope change. No known exploits are reported in the wild yet, but the vulnerability poses a significant risk to internal network security due to the ability to pivot from an authenticated user to internal resources.

The primary impact of this SSRF vulnerability is unauthorized access to internal network resources that are normally inaccessible from outside the organization. An attacker with valid credentials can exploit this flaw to send crafted requests to internal IP addresses, potentially accessing sensitive internal services, metadata endpoints, or administrative interfaces. This can lead to information disclosure, reconnaissance, and potentially further exploitation within the internal network. Since the vulnerability does not affect integrity or availability directly, the main concern is confidentiality breach and lateral movement. Organizations using Wallos versions prior to 4.7.0 are at risk, especially those with sensitive internal services exposed only internally. The scope change in CVSS indicates that the vulnerability can affect components beyond the initially vulnerable software, increasing the overall risk. The requirement for authentication limits exploitation to insiders or compromised accounts, but the lack of user interaction requirement facilitates automated attacks once credentials are obtained.

To mitigate this vulnerability, organizations should immediately upgrade Wallos to version 4.7.0 or later, where the SSRF fix is fully implemented. Until upgrading is possible, administrators should audit and restrict notification URLs configured by users, ensuring no internal or private IP addresses are allowed. Implement network-level controls such as firewall rules or egress filtering to prevent the Wallos server from making HTTP requests to internal IP ranges. Additionally, enforce strict authentication and authorization policies to limit access to Wallos to trusted users only. Monitoring and logging of outgoing requests from the Wallos server can help detect suspicious SSRF exploitation attempts. Finally, consider isolating the Wallos server in a segmented network zone with limited access to critical internal resources to reduce potential impact.