CVE-2026-33401 — UNKNOWN AI Security Vulnerability

CISO Take

CVE-2026-33401 is an incomplete SSRF patch in Wallos that left three endpoints unprotected, including the AI Ollama host configuration parameter. Any authenticated user can point the Ollama host to AWS IMDSv1 (169.254.169.254) or equivalent cloud metadata endpoints to harvest IAM credentials and pivot to your cloud environment. If you run Wallos in AWS, GCP, or Azure without IMDSv2 enforcement, treat this as critical — patch to 4.7.0 immediately and enforce IMDSv2 on all instances.

Risk Assessment

Medium-High. Requires authentication but that bar is low for a self-hosted multi-user app. The blast radius escalates significantly in cloud deployments with IMDSv1 enabled — a single compromised account becomes cloud credential theft. On-prem deployments risk internal network reconnaissance and access to localhost-bound services. The incomplete patch pattern (CVE-2026-30840 fixed some endpoints, missed three others) suggests insufficient security review of the AI feature surface during development.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 11% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

6 steps

Patch immediately to Wallos 4.7.0.
On AWS: enforce IMDSv2 (hop limit=1) on all EC2 instances running Wallos — this blocks SSRF to the metadata service even if unpatched.
On GCP/Azure: verify metadata server access controls and consider instance-level firewall rules blocking 169.254.169.254.
Audit logs for suspicious outbound HTTP requests from your Wallos instance, particularly to RFC1918 ranges, 169.254.169.254, or 100.100.100.200.
Network-level: restrict Wallos host egress to only required destinations (Ollama endpoint, notification providers).
Review all user-configurable URL/host parameters in any AI-integrated self-hosted app for SSRF controls.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Privacy Violation Inference API AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of identified risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-33401?

CVE-2026-33401 is an incomplete SSRF patch in Wallos that left three endpoints unprotected, including the AI Ollama host configuration parameter. Any authenticated user can point the Ollama host to AWS IMDSv1 (169.254.169.254) or equivalent cloud metadata endpoints to harvest IAM credentials and pivot to your cloud environment. If you run Wallos in AWS, GCP, or Azure without IMDSv2 enforcement, treat this as critical — patch to 4.7.0 immediately and enforce IMDSv2 on all instances.

Is CVE-2026-33401 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-33401, increasing the risk of exploitation.

How to fix CVE-2026-33401?

1. Patch immediately to Wallos 4.7.0. 2. On AWS: enforce IMDSv2 (hop limit=1) on all EC2 instances running Wallos — this blocks SSRF to the metadata service even if unpatched. 3. On GCP/Azure: verify metadata server access controls and consider instance-level firewall rules blocking 169.254.169.254. 4. Audit logs for suspicious outbound HTTP requests from your Wallos instance, particularly to RFC1918 ranges, 169.254.169.254, or 100.100.100.200. 5. Network-level: restrict Wallos host egress to only required destinations (Ollama endpoint, notification providers). 6. Review all user-configurable URL/host parameters in any AI-integrated self-hosted app for SSRF controls.

What systems are affected by CVE-2026-33401?

This vulnerability affects the following AI/ML architecture patterns: Local LLM inference (Ollama-backed), Self-hosted AI applications, Cloud-deployed AI workloads, AI agent frameworks with configurable endpoints.

What is the CVSS score for CVE-2026-33401?

No CVSS score has been assigned yet.

Technical Details

NVD Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by supplying a crafted URL to any of these endpoints. This issue has been patched in version 4.7.0.

Exploitation Scenario

Authenticated attacker logs into a cloud-hosted Wallos instance. In the AI settings, they set the Ollama host parameter to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The Wallos application makes an outbound request to this URL and returns the response — including temporary AWS IAM credentials with the instance role permissions. Attacker extracts AccessKeyId, SecretAccessKey, and Token, then uses them via AWS CLI to enumerate S3 buckets, read secrets from Secrets Manager, or pivot to other AWS services. The notification cron job endpoint provides an alternative trigger that fires automatically, removing the need for repeated manual interaction.