CVE-2026-32255
Server-Side Request Forgery in Kan Attachment Download Endpoint
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kan | kan | to 0.5.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32255 is a Server-Side Request Forgery (SSRF) vulnerability in the Kan open-source project management tool, specifically in versions 0.5.4 and below. The vulnerability exists in the /api/download/attatchment endpoint, which accepts a user-supplied URL query parameter and passes it directly to the server-side fetch() function without any authentication or URL validation.
Because of this, an unauthenticated attacker can make arbitrary HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources, and receive the full response body. This can expose sensitive internal data.
The issue was fixed in version 0.5.5 by introducing strict URL validation that restricts downloads to attachments hosted only on a configured storage endpoint, preventing arbitrary URL downloads and SSRF attacks.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to make arbitrary HTTP requests from the vulnerable server to internal or private network resources, including cloud metadata endpoints.
As a result, sensitive internal data can be exposed to the attacker, leading to a high confidentiality impact.
Because the attacker does not need any privileges or user interaction to exploit this vulnerability, it poses a significant security risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthenticated HTTP GET requests to the /api/download/attatchment endpoint that include a user-supplied url query parameter. Such requests may indicate attempts to exploit the Server-Side Request Forgery (SSRF) vulnerability.'}, {'type': 'paragraph', 'content': 'You can use network monitoring or web server access logs to identify suspicious requests to this endpoint.'}, {'type': 'list_item', 'content': "Use curl or similar tools to test the endpoint, for example: curl -v 'http://your-kan-server/api/download/attatchment?url=http://example.com'"}, {'type': 'list_item', 'content': 'Check web server logs for GET requests to /api/download/attatchment with url parameters.'}, {'type': 'list_item', 'content': 'Use network monitoring tools (e.g., tcpdump, Wireshark) to capture HTTP requests targeting the vulnerable endpoint.'}] [3]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, block or restrict access to the /api/download/attatchment endpoint at the reverse proxy level, such as using nginx or Cloudflare.
Upgrading the Kan project to version 0.5.5 or later will fix the issue by adding authentication and URL validation to the endpoint.
If upgrading is not immediately possible, implement access controls or firewall rules to prevent unauthenticated access to this endpoint.