_explained / wallos-dns-rebinding-subscription-tracker-hack
HIGH PLAIN ENGLISH 5 min read

Your Personal Budget App Could Let Hackers Tunnel Into Your Home Server

A flaw in Wallos, the popular self-hosted subscription tracker, lets attackers trick the app into making dangerous internal network requests. No patch exists yet.

2026-05-07 · Read technical analysis →
💬
PLAIN ENGLISH EDITION

This article is written for general audiences — no security background needed. For the full technical analysis with CVE details, affected versions, and code-level breakdown, visit Intel Reports.

If you're running Wallos to track your Netflix, Spotify, and gym memberships on your own home server, an attacker who knows your server's address can potentially use your app as a weapon against your own network — and right now, there's no fix available.

Who's at Risk — and How Many People That Is

Wallos has become a quiet favorite among the self-hosting community — people who run software on their own hardware at home or in small offices instead of trusting third-party cloud services. It's free, open-source, and genuinely useful: connect it to your bank, log your subscriptions, get alerts when renewals hit. GitHub shows thousands of active deployments, with the project's Docker image pulled hundreds of thousands of times. These are exactly the kind of privacy-conscious, technically capable users who believe running their own software keeps them safer. In this case, that assumption has a dangerous crack in it.

The vulnerability affects Wallos version 4.8.4 and every version before it. At the time of writing, no patched version has been released. If you have a Wallos instance reachable from the internet — even one sitting behind a home router with a port forwarded — you should treat this as an active risk.

What an Attacker Can Actually Do to You

Wallos lets you configure "webhooks" — essentially, a web address that Wallos will automatically ping when something happens, like a subscription renewal coming up. It's a convenience feature: you can have Wallos notify your home automation system, your personal chat bot, or a logging tool. You type in a URL, and Wallos goes and fetches it.

The danger is in how Wallos decides whether a URL is safe to visit. To prevent abuse, the developers added a check: before following a URL, Wallos looks up what server that web address points to, confirms it's not pointing to something on your internal network (like your router at 192.168.1.1 or a private database), and only then fetches the page. The problem is there's a gap — a window of time — between when Wallos checks the address and when it actually goes to fetch it. An attacker can exploit that gap by controlling a fake website that initially pretends to point somewhere innocent, passes the safety check, and then — in the split second before Wallos follows the link — switches to point at something inside your private network instead. This classic trick is called DNS rebinding.

Once that works, Wallos becomes a confused proxy, making requests to internal services on the attacker's behalf. Depending on what's running on your network, that could mean reading data from an internal dashboard, hitting an unauthenticated admin panel on another device, or in worst-case scenarios with certain internal services exposed, achieving remote code execution — making software run on your machines without your permission. The attacker never directly touches your internal network; they just trick your own app into doing their bidding for them.

The Technical Detail That Makes This Nasty

For security researchers, here's the precise failure point: Wallos validates webhook URLs using gethostbyname() at check time, but then passes the original, unresolved hostname directly to cURL for the actual HTTP request — without setting CURLOPT_RESOLVE to pin the IP address resolved during validation. This creates a textbook DNS rebinding TOCTOU (Time-of-Check to Time-of-Use) race condition. Critically, this flaw exists across 10 of the 11 outbound HTTP endpoints in the application, meaning the original SSRF patch was essentially cosmetic. The vulnerability is tracked as CVE-2026-41688 and carries a CVSS score of 7.7 (HIGH).

Discovered How? Any Victims Yet?

At the time of publication, no active exploitation has been confirmed in the wild, and no specific attack campaigns have been publicly attributed to this vulnerability. The flaw appears to have been discovered through code review of Wallos's incomplete previous SSRF fix — a common pattern where a partial security patch creates a false sense of security and the underlying issue remains exploitable through a slightly different path. The researchers who identified this found that the prior fix addressed surface-level behavior without solving the architectural problem underneath.

There are no known victims yet — but "no known victims" and "safe" are not the same thing. A vulnerability that gives attackers access to home networks is exactly the kind of thing that gets quietly weaponized before defenders notice.

What You Should Do Right Now

There is no patch. That makes your options more manual than anyone wants, but they are real and effective:

  1. Take Wallos offline or isolate it immediately. If your Wallos instance is reachable from the internet — via a forwarded port, a reverse proxy, or a VPN with broad access — remove that external access now. Run it only on a fully local network segment until a patched version (4.8.5 or higher) is released. Check the official Wallos GitHub releases page for updates before re-exposing anything.
  2. Disable or remove all webhook configurations. Log into your Wallos dashboard, navigate to your notification and webhook settings, and delete any configured webhook URLs. This removes the primary attack surface. The vulnerability lives in the outbound HTTP request logic, so eliminating outbound webhook triggers dramatically reduces your exposure while you wait for a fix.
  3. Segment your network so Wallos can't reach sensitive devices. Using your router or a managed switch, place your Wallos server on a VLAN or network segment that is blocked from reaching other internal devices — your NAS, home automation hub, internal dashboards, or anything with an admin panel. Even if the vulnerability is triggered, an attacker will hit a wall instead of your internal services. Most modern home routers running firmware like OpenWRT support basic VLAN isolation; if yours doesn't, consider placing Wallos in a dedicated Docker network with explicit --network restrictions and no host-mode networking.

⚠ Watch the Wallos GitHub repository. When a patched release drops, update immediately. The developers have been notified, and a fix is expected — but given that a previous SSRF patch was incomplete, review the release notes carefully to confirm the TOCTOU window is specifically addressed with IP pinning, not just a repeated hostname check.

// TOPICS
#ssrf#dns-rebinding#toctou#webhook#remote-code-execution
// WANT MORE DETAIL?

The technical analysis covers the exact vulnerability mechanism, affected code paths, attack chain, detection methods, and full remediation guide.

Read technical analysis →
Share on X → Get weekly digest →
// TOOLS WE RECOMMEND
NordVPN →

Encrypt your traffic against the threats we explain here.
NordPass →

Stop credential theft. Password manager from Nord Security.
Saily eSIM →

Travel privately. eSIM data for 150+ countries, 10% off.

Affiliate links — commission earned at no cost to you.