CVE-2026-41689

Name of the Vulnerable Software and Affected Versions Wallos versions 4.8.4 and earlier

Description The webhook notification feature reuses an administrator-configured local-target allowlist for all logged-in users. This allows a standard user to control the webhook URL, headers, and body to send server-side requests to internal automation services present on the allowlist. If a target service exposes deployment or execution APIs, this could lead to remote code execution (RCE) on the adjacent service, depending on the target service configuration.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.