Description
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.
Published: 2026-04-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF that can access internal network and modify comments
Action: Immediate Patch
AI Analysis

Impact

WeKan prior to version 8.35 has a server‑side request forgery flaw in the webhook integration URL handling. The URL schema field accepts any string without protocol restriction or destination validation, allowing an attacker who can create or modify integrations to set webhook URLs that point to internal network addresses. When a board event triggers, the server makes an HTTP POST request to the attacker‑controlled internal target, sending the full event payload. The response from that target can then be used to overwrite any comment text on the board without authentication checks.

Affected Systems

WeKan products running any version before 8.35 are affected. The vulnerability is present in all releases prior to the 8.35 release, which introduced proper validation of webhook URLs.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to add or edit webhook integrations, a privilege that may be granted to board‑owners or higher‑level users. Once enabled, an attacker can harvest internal network information and alter board comments, potentially leading to data exfiltration and content tampering. The likelihood of exploitation depends on the setup; internal‑only targets mitigate external exposure, but the lack of protocol or destination checks makes any internal service reachable from the server.

Generated by OpenCVE AI on April 27, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest WeKan release 8.35 or later to resolve the SSRF and comment overwrite issue.
  • If an update cannot be performed immediately, restrict the allowable webhook URL schemes to "http" and "https" and enforce hostname validation to prevent requests to internal addresses.
  • Monitor integration configurations and audit any unauthorized changes to webhook URLs to detect potential misuse.

Generated by OpenCVE AI on April 27, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wekan
Wekan wekan
Vendors & Products Wekan
Wekan wekan

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.
Title WeKan < 8.35 SSRF via Webhook URL
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Wekan Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-23T13:36:27.828Z

Reserved: 2026-04-20T16:07:47.310Z

Link: CVE-2026-41455

cve-icon Vulnrichment

Updated: 2026-04-23T13:36:17.321Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T22:16:32.677

Modified: 2026-04-23T16:27:11.540

Link: CVE-2026-41455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:30:11Z

Weaknesses