CVE-2026-30844
Received Received - Intake
Server-Side Request Forgery in Wekan Attachment URL Handling

Publication date: 2026-03-06

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or filtering, affecting both the Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs, which are then passed directly to Attachments.load() for download with no sanitization. This Server-Side Request Forgery (SSRF) vulnerability allows any authenticated user to make the server issue arbitrary HTTP requests, potentially accessing internal network services such as cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels that are otherwise unreachable from outside the network. This issue has been fixed in version 8.34.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-06
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30844
EUVD
EUVD-2026-10063
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wekan_project wekan 8.32
wekan_project wekan 8.33
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-30844 is a Server-Side Request Forgery (SSRF) vulnerability in Wekan versions 8.32 and 8.33. It occurs because during board import, the server fetches attachment URLs from user-supplied JSON data without validating or filtering these URLs.

Specifically, methods like parseActivities() and parseActions() extract user-controlled attachment URLs, which are then passed directly to the Attachments.load() function for downloading without any sanitization. This allows any authenticated user to make the server issue arbitrary HTTP requests.

As a result, an attacker can potentially access internal network services that are normally unreachable from outside, such as cloud instance metadata endpoints (which may expose IAM credentials), internal databases, and admin panels.

This vulnerability was fixed in Wekan version 8.34 by adding comprehensive URL validation to block unsafe or local network addresses.


How can this vulnerability impact me? :

This vulnerability can have serious security impacts because it allows an authenticated user to make the Wekan server send arbitrary HTTP requests to internal network resources.

An attacker could exploit this to access sensitive internal services that are not exposed externally, such as cloud instance metadata endpoints that may contain IAM credentials, internal databases, and administrative panels.

Such unauthorized access could lead to data breaches, privilege escalation, or further compromise of internal systems.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves Server-Side Request Forgery (SSRF) via attachment URL loading during board import in Wekan. Detection involves monitoring for unusual or unauthorized HTTP requests initiated by the Wekan server to internal or unexpected external URLs.

To detect exploitation attempts, you can monitor network traffic from the Wekan server for HTTP requests to internal IP ranges such as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or to cloud instance metadata endpoints.

Suggested commands include using network monitoring tools or packet capture utilities to filter outgoing HTTP requests from the Wekan server process or host.

  • Use tcpdump to capture HTTP requests from the Wekan server: tcpdump -i <interface> tcp and port 80 or 443 and src host <wekan-server-ip>
  • Use netstat or ss to check active connections from the Wekan server process: netstat -plant | grep <wekan-server-process> or ss -plant | grep <wekan-server-process>
  • Check Wekan server logs for import activity and any logged attachment URL fetches, especially if debugging is enabled.
  • Use curl or wget commands to test if internal URLs can be accessed from the Wekan server, simulating SSRF attempts.

What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Wekan to version 8.34 or later, where this SSRF vulnerability has been fixed by implementing strict URL validation during attachment imports.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, consider restricting the Wekan server's network access to prevent it from making HTTP requests to internal or sensitive network resources."}, {'type': 'paragraph', 'content': 'Additional mitigation steps include enabling debugging logs to monitor and block suspicious attachment URLs and reviewing import processes to avoid importing untrusted JSON data.'}, {'type': 'list_item', 'content': 'Upgrade Wekan to version 8.34 or later.'}, {'type': 'list_item', 'content': 'Implement network-level restrictions (firewall rules) to block Wekan server outbound HTTP requests to internal IP ranges and metadata endpoints.'}, {'type': 'list_item', 'content': 'Enable debugging logs to detect and log blocked attachment URLs if possible.'}, {'type': 'list_item', 'content': 'Avoid importing boards from untrusted sources until the fix is applied.'}] [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart