Description
Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).
Published: 2026-03-18
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery (SSRF) leading to internal network access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability exists in Kan versions 0.5.4 and earlier where the /api/download/attatchment endpoint accepts a user‑supplied URL parameter without authentication or validation. The server blindly passes this URL to fetch() and returns the response body, allowing an unauthenticated attacker to force the server to make HTTP requests to arbitrary destinations. This leads to Server‑Side Request Forgery (SSRF) and can expose internal services, cloud metadata endpoints, or private network resources, potentially leaking sensitive information or enabling further attacks.

Affected Systems

This issue affects the open‑source project management tool Kan (product kan:kan) running versions 0.5.4 and earlier.

Risk and Exploitability

The vulnerability has a CVSS score of 8.6 indicating high severity. The EPSS score is below 1%, suggesting a low probability of exploitation in the wild. It is not listed in the CISA KEV catalog. An attacker can exploit it by sending unauthenticated requests to the /api/download/attatchment endpoint, which forwards the supplied URL to the server. Until the affected versions are updated, the risk remains significant.

Generated by OpenCVE AI on March 19, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kan to version 0.5.5 or later.
  • If upgrade is not immediately possible, block or restrict /api/download/attatchment at the reverse‑proxy level (e.g., nginx, Cloudflare).
  • Verify that no untrusted requests can reach the endpoint.

Generated by OpenCVE AI on March 19, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Kan
Kan kan
CPEs cpe:2.3:a:kan:kan:*:*:*:*:*:*:*:*
Vendors & Products Kan
Kan kan

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Kanbn
Kanbn kan
Vendors & Products Kanbn
Kanbn kan

Wed, 18 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).
Title Kan is Vulnerable to Unauthenticated SSRF via Attachment Download Endpoint
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T16:11:00.489Z

Reserved: 2026-03-11T15:05:48.396Z

Link: CVE-2026-32255

cve-icon Vulnrichment

Updated: 2026-03-19T16:10:53.066Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T00:16:18.003

Modified: 2026-03-19T15:45:37.580

Link: CVE-2026-32255

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:50Z

Weaknesses