Description
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.
Published: 2026-04-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw lies in WeKan’s webhook integration URL handling before version 8.35. The URL scheme field accepts any string without protocol restrictions or target validation, enabling an attacker who can create or modify integrations to point webhook URLs at internal network addresses. When a board event triggers, the server issues an HTTP POST request to the attacker‑controlled target, sending the full event payload. The response from that target can be exploited to overwrite arbitrary comment text on the board without any authorization checks.

Affected Systems

WeKan products running any version before 8.35 are affected. The vulnerability is present in all releases prior to the 8.35 release, which introduced proper validation of webhook URLs.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity. The EPSS score is <1% (0.00034), reflecting a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to add or edit webhook integrations, a privilege that may be granted to board‑owners or higher‑level users. Once enabled, an attacker can harvest internal network information and alter board comments, potentially leading to data exfiltration and content tampering. The likelihood of exploitation depends on the setup; internal‑only targets mitigate external exposure, but the lack of protocol or destination checks makes any internal service reachable from the server.

Generated by OpenCVE AI on May 26, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest WeKan release 8.35 or later to resolve the SSRF and comment overwrite issue.
  • If an update cannot be performed immediately, restrict the allowable webhook URL schemes to "http" and "https" and enforce hostname validation to prevent requests to internal addresses.
  • Monitor integration configurations and audit any unauthorized changes to webhook URLs to detect potential misuse.

Generated by OpenCVE AI on May 26, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks. WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.

Mon, 27 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Wekan
Wekan wekan
Vendors & Products Wekan
Wekan wekan

Thu, 23 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.
Title WeKan < 8.35 SSRF via Webhook URL
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Wekan Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T11:52:14.798Z

Reserved: 2026-04-20T16:07:47.310Z

Link: CVE-2026-41455

cve-icon Vulnrichment

Updated: 2026-04-23T13:36:17.321Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T22:16:32.677

Modified: 2026-05-26T14:16:35.990

Link: CVE-2026-41455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T15:45:08Z

Weaknesses