Skip to main content

WeKan CVE-2026-41455

| EUVDEUVD-2026-25118 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-22 VulnCheck GHSA-qvhh-2f8h-hqgp
6.3
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Generated
Apr 23, 2026 - 07:06 vuln.today
Severity Changed
Apr 22, 2026 - 22:22 NVD
HIGH MEDIUM
CVSS changed
Apr 22, 2026 - 22:22 NVD
8.5 (HIGH) 6.3 (MEDIUM)
EUVD ID Assigned
Apr 22, 2026 - 21:46 euvd
EUVD-2026-25118
Analysis Generated
Apr 22, 2026 - 21:46 vuln.today
Patch released
Apr 22, 2026 - 21:46 nvd
Patch available
CVE Published
Apr 22, 2026 - 21:09 nvd
MEDIUM 6.3

DescriptionCVE.org

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.

AnalysisAI

Server-side request forgery in WeKan before 8.35 allows authenticated users to create or modify webhook integrations with arbitrary URLs, enabling the server to issue HTTP POST requests to internal network addresses and attacker-controlled targets. The vulnerability additionally permits unauthorized modification of comment text through response handling, affecting systems where users have integration management privileges. No active exploitation has been confirmed at time of analysis.

Technical ContextAI

WeKan is an open-source kanban board application that supports webhook integrations for event notifications. The vulnerability exists in the webhook URL schema field validation, where the application fails to enforce protocol restrictions (e.g., requiring http/https only) or perform destination validation before storing and using the URL in HTTP POST requests. This is a classic SSRF vulnerability (CWE-918: Server-Side Request Forgery) where user-supplied input controls the HTTP request target without adequate sanitization. The affected component processes board event payloads and transmits them to the configured webhook URL, meaning an attacker can exfiltrate sensitive board data to internal network services or attacker infrastructure. The secondary impact-unauthorized comment modification-suggests insufficient authorization checks on webhook response processing.

RemediationAI

Vendor-released patch: WeKan 8.35 and later. Upgrade WeKan to version 8.35 or newer by pulling the latest release from https://github.com/wekan/wekan/releases/tag/v8.35. For containerized deployments, update the image tag and redeploy. The patch commit (2cd702f48df2b8aef0e7381685f8e089986a18a4) implements protocol validation and destination whitelisting for webhook URLs. If immediate upgrade is not feasible, restrict webhook integration creation and modification permissions to highly trusted administrators only, and audit existing webhooks for suspicious URLs pointing to internal addresses (127.0.0.1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or metadata endpoints). Additionally, implement network egress filtering to block HTTP/HTTPS requests from the WeKan server to internal IP ranges, though this may impact legitimate integrations with internal services and should be tested thoroughly. Monitor webhook payload logs for exfiltration of sensitive board data.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

Share

CVE-2026-41455 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy