Skip to main content

Kan CVE-2026-32255

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-03-18 GitHub_M
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 18, 2026 - 23:30 vuln.today
CVE Published
Mar 18, 2026 - 23:11 nvd
HIGH 8.6

DescriptionGitHub Advisory

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).

AnalysisAI

Kan, an open-source project management tool, contains a Server-Side Request Forgery (SSRF) vulnerability in its unauthenticated /api/download/attatchment endpoint in versions 0.5.4 and below. Attackers can exploit this to make arbitrary HTTP requests from the server to internal services, cloud metadata endpoints (such as AWS EC2 metadata at 169.254.169.254), or private network resources without any authentication. With a CVSS score of 8.6 (High) reflecting network-based attack vector, low complexity, and no privileges required, this poses significant risk for confidentiality breaches in affected deployments.

Technical ContextAI

This vulnerability affects Kan (CPE: cpe:2.3:a:kanbn:kan:*:*:*:*:*:*:*:*), an open-source project management application. The root cause is CWE-918 (Server-Side Request Forgery), where the /api/download/attatchment endpoint accepts a user-controlled URL parameter and passes it directly to a server-side fetch() function without validation or authentication checks. This allows attackers to abuse the server as a proxy to make HTTP requests to arbitrary destinations. The server returns the full response body, enabling information disclosure from internal network resources that would normally be inaccessible from external networks, including cloud provider metadata services, internal APIs, databases, and other backend systems on private network segments.

RemediationAI

Upgrade Kan to version 0.5.5 or later, which contains the fix for this SSRF vulnerability as documented in the GitHub release at https://github.com/kanbn/kan/releases/tag/v0.5.5 and implemented in commit 53397d8e81dc1494d94132848c1f0416f1152bd7 (https://github.com/kanbn/kan/commit/53397d8e81dc1494d94132848c1f0416f1152bd7). As an interim workaround until upgrading is possible, block or restrict access to the /api/download/attatchment endpoint at the reverse proxy level using nginx, Cloudflare, or similar web application firewall solutions. Additionally, implement network segmentation to limit the server's ability to access internal networks and cloud metadata endpoints, and consider implementing egress filtering to restrict outbound connections from the Kan application server to only necessary destinations.

Share

CVE-2026-32255 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy