Description
Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).
Published: 2026-03-18
Score: 8.6 High
EPSS: 10.1% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Kan versions 0.5.4 and earlier where the /api/download/attatchment endpoint accepts a user‑supplied URL parameter without authentication or validation. The server blindly passes this URL to fetch() and returns the response body, allowing an unauthenticated attacker to force the server to make HTTP requests to arbitrary destinations. This leads to Server‑Side Request Forgery (SSRF) and can expose internal services, cloud metadata endpoints, or private network resources, potentially leaking sensitive information or enabling further attacks.

Affected Systems

This issue affects the open‑source project management tool Kan (vendor kanbn:kan) running versions 0.5.4 and earlier.

Risk and Exploitability

The vulnerability has a CVSS score of 8.6 indicating high severity. The EPSS score is 10%, indicating a moderate probability of exploitation in the wild. It is not listed in the CISA KEV catalog. An attacker can exploit it by sending unauthenticated requests to the /api/download/attatchment endpoint, which forwards the supplied URL to the server. Until the affected versions are updated, the risk remains significant.

Generated by OpenCVE AI on June 18, 2026 at 10:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kan to version 0.5.5 or later.
  • Block or restrict /api/download/attatchment at the reverse‑proxy level (e.g., nginx, Cloudflare).
  • If an upgrade is not immediately possible, configure the Kan server’s outbound network traffic to only allow necessary destinations, limiting internal access.

Generated by OpenCVE AI on June 18, 2026 at 10:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 19 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Kan
Kan kan
CPEs cpe:2.3:a:kan:kan:*:*:*:*:*:*:*:*
Vendors & Products Kan
Kan kan

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Kanbn
Kanbn kan
Vendors & Products Kanbn
Kanbn kan

Wed, 18 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).
Title Kan is Vulnerable to Unauthenticated SSRF via Attachment Download Endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T16:11:00.489Z

Reserved: 2026-03-11T15:05:48.396Z

Link: CVE-2026-32255

cve-icon Vulnrichment

Updated: 2026-03-19T16:10:53.066Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T00:16:18.003

Modified: 2026-06-17T10:35:26.237

Link: CVE-2026-32255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:15:03Z

Weaknesses
  • CWE-918

    Server-Side Request Forgery (SSRF)