Kan
CVE-2026-32255
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).
AnalysisAI
Kan, an open-source project management tool, contains a Server-Side Request Forgery (SSRF) vulnerability in its unauthenticated /api/download/attatchment endpoint in versions 0.5.4 and below. Attackers can exploit this to make arbitrary HTTP requests from the server to internal services, cloud metadata endpoints (such as AWS EC2 metadata at 169.254.169.254), or private network resources without any authentication. With a CVSS score of 8.6 (High) reflecting network-based attack vector, low complexity, and no privileges required, this poses significant risk for confidentiality breaches in affected deployments.
Technical ContextAI
This vulnerability affects Kan (CPE: cpe:2.3:a:kanbn:kan:*:*:*:*:*:*:*:*), an open-source project management application. The root cause is CWE-918 (Server-Side Request Forgery), where the /api/download/attatchment endpoint accepts a user-controlled URL parameter and passes it directly to a server-side fetch() function without validation or authentication checks. This allows attackers to abuse the server as a proxy to make HTTP requests to arbitrary destinations. The server returns the full response body, enabling information disclosure from internal network resources that would normally be inaccessible from external networks, including cloud provider metadata services, internal APIs, databases, and other backend systems on private network segments.
RemediationAI
Upgrade Kan to version 0.5.5 or later, which contains the fix for this SSRF vulnerability as documented in the GitHub release at https://github.com/kanbn/kan/releases/tag/v0.5.5 and implemented in commit 53397d8e81dc1494d94132848c1f0416f1152bd7 (https://github.com/kanbn/kan/commit/53397d8e81dc1494d94132848c1f0416f1152bd7). As an interim workaround until upgrading is possible, block or restrict access to the /api/download/attatchment endpoint at the reverse proxy level using nginx, Cloudflare, or similar web application firewall solutions. Additionally, implement network segmentation to limit the server's ability to access internal networks and cloud metadata endpoints, and consider implementing egress filtering to restrict outbound connections from the Kan application server to only necessary destinations.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today