CVE-2026-33401 — UNKNOWN AI Security Vulnerability

CISO Take

CVE-2026-33401 is an incomplete SSRF patch in Wallos that left three endpoints unprotected, including the AI Ollama host configuration parameter. Any authenticated user can point the Ollama host to AWS IMDSv1 (169.254.169.254) or equivalent cloud metadata endpoints to harvest IAM credentials and pivot to your cloud environment. If you run Wallos in AWS, GCP, or Azure without IMDSv2 enforcement, treat this as critical — patch to 4.7.0 immediately and enforce IMDSv2 on all instances.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. Patch immediately to Wallos 4.7.0. 2. On AWS: enforce IMDSv2 (hop limit=1) on all EC2 instances running Wallos — this blocks SSRF to the metadata service even if unpatched. 3. On GCP/Azure: verify metadata server access controls and consider instance-level firewall rules blocking 169.254.169.254. 4. Audit logs for suspicious outbound HTTP requests from your Wallos instance, particularly to RFC1918 ranges, 169.254.169.254, or 100.100.100.200. 5. Network-level: restrict Wallos host egress to only required destinations (Ollama endpoint, notification providers). 6. Review all user-configurable URL/host parameters in any AI-integrated self-hosted app for SSRF controls.

Classification

Data Extraction Auth Bypass Privacy Violation Inference API AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0075 - Cloud Service Discovery

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain treatment of identified risks

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Technical Details

NVD Description

Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.0, the patch introduced in commit e8a513591 (CVE-2026-30840) added SSRF protection to notification test endpoints but left three additional attack surfaces unprotected: the AI Ollama host parameter, the AI recommendations endpoint, and the notification cron job. An authenticated user can reach internal network services, cloud metadata endpoints (AWS IMDSv1, GCP, Azure IMDS), or localhost-bound services by supplying a crafted URL to any of these endpoints. This issue has been patched in version 4.7.0.

Exploitation Scenario

Authenticated attacker logs into a cloud-hosted Wallos instance. In the AI settings, they set the Ollama host parameter to http://169.254.169.254/latest/meta-data/iam/security-credentials/. The Wallos application makes an outbound request to this URL and returns the response — including temporary AWS IAM credentials with the instance role permissions. Attacker extracts AccessKeyId, SecretAccessKey, and Token, then uses them via AWS CLI to enumerate S3 buckets, read secrets from Secrets Manager, or pivot to other AWS services. The notification cron job endpoint provides an alternative trigger that fires automatically, removing the need for repeated manual interaction.

Weaknesses (CWE)

CWE-918 Primary

References

Timeline

Published

March 24, 2026

Last Modified

March 24, 2026

First Seen

March 24, 2026