Wallos Webhook SSRF Vulnerability Allowing Adjacent-Service Remote Code Execution

A vulnerability in Wallos versions through 4.8.4 allows normal users to exploit the webhook notification feature. This feature improperly shares an administrator-configured local-target allowlist across all users. As a result, any logged-in user can manipulate a webhook URL, headers, and body to send server-side requests to allowlisted internal automation services. If the targeted service has deployment or execution APIs, this could lead to remote code execution on adjacent services, depending on the specific target.

Impact

Exploitation allows normal users to send arbitrary requests to internal services from the Wallos application server. This could disrupt the target service or, if the service has execution capabilities, lead to unauthorized command execution in the context of that service.

Reproduction

To reproduce this vulnerability, an administrator must first add an internal automation service to the local webhook notifications allowlist. Then, a normal user can log into Wallos, navigate to the webhook settings, and set a webhook URL to a deployment or execution endpoint on the allowlisted service. After sending the request, the service will log the interaction, confirming the exploitation. If the target service supports command execution, this could be triggered as a final step.