CRITICAL🇵🇱 Wersja polska

CVE-2026-30844

CVSS 9.3v4.0pub. 2026-03-06upd. 2026-03-11

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or filtering, affecting both the Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs, which are then passed directly to Attachments.load() for download with no sanitization. This Server-Side Request Forgery (SSRF) vulnerability allows any authenticated user to make the server issue arbitrary HTTP requests, potentially accessing internal network services such as cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels that are otherwise unreachable from outside the network. This issue has been fixed in version 8.34.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Wekan Project Wekan

    APP
    Wekan Project
    8.328.33
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
SSRF
CWE
References

Related vulnerabilities

CVE-2026-30843CRITICAL9.3PL ✓ten sam produkt

Wekan IDOR: nieautoryzowana modyfikacja pól własnych na tablicach

CVE-2026-30847CRITICAL9.3PL ✓ten sam produkt

Wekan: ujawnienie wrażliwych danych użytkowników przez publikację notificationUsers

CVE-2026-30846HIGH8.7ten sam produkt

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks pub...

CVE-2026-25564HIGH7.1ten sam produkt

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and rela...

CVE-2026-25561HIGH7.1ten sam produkt

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not ...