Description
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or filtering, affecting both the Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs, which are then passed directly to Attachments.load() for download with no sanitization. This Server-Side Request Forgery (SSRF) vulnerability allows any authenticated user to make the server issue arbitrary HTTP requests, potentially accessing internal network services such as cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels that are otherwise unreachable from outside the network. This issue has been fixed in version 8.34.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery allowing arbitrary internal network requests
Action: Immediate Patch
AI Analysis

Impact

Wekan versions 8.32 and 8.33 lack validation when loading attachment URLs during board import. The server blindly fetches URLs provided in user-supplied JSON, permitting any authenticated user to force the server to request any HTTP endpoint. This can reveal internal services, cloud instance metadata, or exposed administrative panels, effectively exposing sensitive data or enabling further attacks.

Affected Systems

The vulnerability affects the Wekan open source kanban tool, specifically releases 8.32 and 8.33. Both the native Wekan import flow and the Trello import flow use the same parsing logic and are therefore exposed.

Risk and Exploitability

The flaw carries a CVSS score of 9.3, indicating critical impact and high exploitation potential. The EPSS score is reported as less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated to perform the import, but once granted access, the attacker can trick the server into connecting to arbitrary internal resources, potentially leaking credentials, database contents, or other sensitive information.

Generated by OpenCVE AI on April 16, 2026 at 11:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wekan to version 8.34 or later, which includes the SSRF fix.
  • Deploy network segmentation or firewall rules to block traffic from the Wekan server to internal IP ranges and the cloud metadata service.
  • Restrict or disable the board import feature for untrusted users, or modify the import process to validate and sanitize URLs before loading them.

Generated by OpenCVE AI on April 16, 2026 at 11:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
CPEs cpe:2.3:a:wekan_project:wekan:8.32:*:*:*:*:*:*:*
cpe:2.3:a:wekan_project:wekan:8.33:*:*:*:*:*:*:*
Vendors & Products Wekan Project
Wekan Project wekan
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wekan
Wekan wekan
Vendors & Products Wekan
Wekan wekan

Fri, 06 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or filtering, affecting both the Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs, which are then passed directly to Attachments.load() for download with no sanitization. This Server-Side Request Forgery (SSRF) vulnerability allows any authenticated user to make the server issue arbitrary HTTP requests, potentially accessing internal network services such as cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels that are otherwise unreachable from outside the network. This issue has been fixed in version 8.34.
Title Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Wekan Wekan
Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:20.301Z

Reserved: 2026-03-05T21:27:35.341Z

Link: CVE-2026-30844

cve-icon Vulnrichment

Updated: 2026-03-09T20:27:04.319Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T20:16:17.030

Modified: 2026-03-11T14:56:52.180

Link: CVE-2026-30844

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses