CVE-2026-27479
📋 TL;DR
Wallos versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the logo/icon upload functionality. Attackers can bypass IP validation by exploiting HTTP redirects to access internal resources, including cloud metadata endpoints. This affects all self-hosted Wallos instances running vulnerable versions.
💻 Affected Systems
- Wallos
📦 What is this software?
Wallos by Wallosapp
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of cloud infrastructure via metadata endpoint access, leading to credential theft, instance takeover, and lateral movement within cloud environments.
Likely Case
Unauthorized access to internal network resources, sensitive data exfiltration, and potential privilege escalation through internal service interaction.
If Mitigated
Limited impact with proper network segmentation and metadata endpoint protections, though internal resource enumeration remains possible.
🎯 Exploit Status
Exploitation requires user access to upload functionality but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.1
Vendor Advisory: https://github.com/ellite/Wallos/security/advisories/GHSA-fgmf-7g5v-jmjg
Restart Required: Yes
Instructions:
1. Backup your Wallos database and configuration. 2. Download version 4.6.1 from GitHub releases. 3. Replace existing files with new version. 4. Restart your web server. 5. Verify functionality.
🔧 Temporary Workarounds
Disable logo upload functionality
allTemporarily disable the subscription/payment logo upload feature in Wallos configuration
Edit Wallos configuration to remove or comment out logo upload options
Network restrictions
linuxBlock outbound HTTP requests from Wallos server to internal networks and metadata endpoints
iptables -A OUTPUT -p tcp --dport 80 -d 169.254.169.254 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -p tcp --dport 80 -d 192.168.0.0/16 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Wallos from internal resources and metadata endpoints
- Deploy a web application firewall (WAF) with SSRF protection rules
🔍 How to Verify
Check if Vulnerable:
Check Wallos version in admin interface or by examining source files for version markersCheck Version:
Check Wallos admin dashboard or examine includes/version.php fileVerify Fix Applied:
Verify version is 4.6.1 or higher and check that CURLOPT_FOLLOWLOCATION is disabled or properly validated in getLogoFromUrl() function📡 Detection & Monitoring
Log Indicators:
- Unusual outbound HTTP requests from Wallos server to internal IPs
- Multiple HTTP redirects in logo upload requests
- Requests to cloud metadata endpoints (169.254.169.254)
Network Indicators:
- HTTP traffic from Wallos server to private IP ranges
- Requests to known metadata endpoints
SIEM Query:
source="wallos-logs" AND (dest_ip IN (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.169.254) OR http_status=3*)