Wekan
CVE-2026-53446
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Board administrator credentials required (PR:H), network API access sufficient (AV:N), scope changes to internal systems (S:C) with high confidentiality and low integrity impact on those systems.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan webhook integration URLs in models/integrations.js are stored from user input and later fetched by server/notifications/outgoing.js without applying the existing validateAttachmentUrl() private-network checks from models/lib/attachmentUrlValidation.js. A board administrator can configure webhook URLs that cause server-side requests to internal or metadata services. This issue is fixed in version 9.32.
AnalysisAI
Server-side request forgery in Wekan's webhook integration feature allows board administrators to register malicious webhook URLs that the Wekan server later fetches without private-network validation, enabling unauthorized access to internal services and cloud metadata endpoints. All Wekan deployments prior to version 9.32 are affected; the root cause is that the existing validateAttachmentUrl() guard present in models/lib/attachmentUrlValidation.js was never wired into the webhook creation and update API paths. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold valid Wekan board administrator credentials (CVSS PR:H confirmed). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N, score 6.2) accurately captures the risk profile: PR:H constrains exploitation to board administrators, a meaningful barrier that prevents this from being a general-user or anonymous threat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A malicious board administrator submits a webhook integration URL pointing to http://169.254.169.254/latest/meta-data/iam/security-credentials/ via the Wekan API. When a card is moved or updated, Wekan's outgoing notification handler fetches the stored URL server-side, causing the cloud host's metadata service to return temporary IAM role credentials. … |
| Remediation | The primary remediation is to upgrade Wekan to version 9.32 or later; this release applies validateAttachmentUrl() validation to both the webhook creation and update API endpoints, blocking SSRF-capable URLs before they are stored. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t
OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today