CVE-2026-41455

Deferred Deferred - Pending Action

Server-Side Request Forgery in WeKan Webhook Integration Allows Unauthorized Data Manipulation

Publication date: 2026-04-22

Last updated on: 2026-05-26

Assigner: VulnCheck

Description

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-22

Last Modified

2026-05-26

Generated

2026-06-16

AI Q&A

2026-04-23

EPSS Evaluated

2026-06-15

NVD

CVE-2026-41455

EUVD

EUVD-2026-25118

Affected Vendors & Products

Vendor	Product	Version / Range
wekan	wekan	to 8.35 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-918	The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

The URL schema field accepts any string without restricting the protocol or validating the destination, allowing attackers who can create or modify integrations to set webhook URLs to internal network addresses.

As a result, the server can be tricked into issuing HTTP POST requests to internal targets controlled by the attacker, including sending full board event payloads.

Additionally, attackers can exploit response handling to overwrite arbitrary comment text without authorization checks.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

The URL schema field accepts any string without restricting the protocol or validating the destination.

Attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can allow attackers to make the server send unauthorized HTTP POST requests to internal network addresses, potentially accessing or interacting with internal systems that are not normally exposed.

Attackers can receive full board event payloads, which may include sensitive information.

Moreover, attackers can overwrite arbitrary comment text without authorization, which could lead to data integrity issues or misinformation within the application.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

As a result, the server can be tricked into issuing HTTP POST requests to internal targets controlled by the attacker, including sending full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing an attacker with integration creation or modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

This can lead to unauthorized access or interaction with internal systems that are normally protected from external access.

Furthermore, the attacker can overwrite comment text arbitrarily without authorization, potentially leading to misinformation, data integrity issues, or manipulation of board content.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

As a result, the server can be tricked into issuing HTTP POST requests to internal targets controlled by the attacker, including sending full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can allow attackers to make the server send unauthorized HTTP POST requests to internal network addresses, potentially exposing sensitive internal services or data.

Attackers can also overwrite comment text arbitrarily without proper authorization, which could lead to misinformation, data integrity issues, or unauthorized content injection.

Overall, this can compromise the confidentiality and integrity of data within the affected system and its internal network.

Impact Analysis

This vulnerability can impact you by allowing an attacker with integration creation or modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

This can lead to unauthorized access or manipulation of internal services that are normally protected from external access.

Furthermore, the attacker can overwrite arbitrary comment text without authorization, potentially leading to misinformation or data integrity issues within the application.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and is a server-side request forgery (SSRF) issue related to webhook integration URL handling.

The URL schema field in webhook integrations accepts any string without restricting the protocol or validating the destination.

As a result, attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

Attackers can receive full board event payloads, which may include sensitive information.

Furthermore, attackers can overwrite arbitrary comment text without authorization, which could lead to misinformation, data integrity issues, or unauthorized data manipulation.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and is a server-side request forgery (SSRF) issue related to webhook integration URL handling.

The problem arises because the URL schema field accepts any string without restricting the protocol or validating the destination.

Attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit the response handling mechanism to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing an attacker with integration modification privileges to make the server send unauthorized HTTP requests to internal network addresses.

Such requests can leak sensitive internal information or trigger actions within the internal network that should not be accessible externally.

Moreover, the attacker can overwrite arbitrary comment text on boards without proper authorization, potentially leading to misinformation or data integrity issues.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and is a server-side request forgery (SSRF) issue related to webhook integration URL handling.

The url schema field in webhook integrations accepts any string without restricting the protocol or validating the destination.

As a result, attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing attackers with integration modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

This can lead to unauthorized access or interaction with internal systems that are normally protected from external access.

Furthermore, attackers can overwrite comment text arbitrarily without authorization, potentially leading to misinformation or manipulation of data within the application.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and is a server-side request forgery (SSRF) issue related to webhook integration URL handling.

The URL schema field in webhook integrations accepts any string without restricting the protocol or validating the destination.

Attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves server-side request forgery (SSRF) in the webhook integration URL handling.

The issue arises because the URL schema field accepts any string without restricting the protocol or validating the destination.

Attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing attackers to make the server send unauthorized HTTP POST requests to internal network addresses.

Such requests include sensitive board event data, potentially exposing internal information.

Attackers can also overwrite comment text arbitrarily without proper authorization, which can lead to data integrity issues or misinformation.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves server-side request forgery (SSRF) in the webhook integration URL handling.

The URL schema field accepts any string without restricting the protocol or validating the destination.

Attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can allow attackers to make the server send unauthorized HTTP POST requests to internal network addresses, potentially accessing or interacting with internal services.

Attackers can receive full board event payloads, which may expose sensitive information.

They can also overwrite arbitrary comment text without authorization, leading to data integrity issues or misinformation.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and is a server-side request forgery (SSRF) issue related to webhook integration URL handling.

The url schema field in webhook integrations accepts any string without restricting the protocol or validating the destination.

As a result, attackers who can create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing an attacker with integration creation or modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

This can lead to unauthorized access or manipulation of internal services that are normally inaccessible from outside.

Furthermore, the attacker can overwrite arbitrary comment text without authorization, potentially leading to data integrity issues or misinformation.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

As a result, the server issues HTTP POST requests to attacker-controlled internal targets with full board event payloads.

Additionally, attackers can exploit response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

Attackers can also overwrite comment text arbitrarily without authorization, which could lead to misinformation, data integrity issues, or unauthorized content injection.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

As a result, the server can be tricked into issuing HTTP POST requests to internal targets controlled by the attacker, including sending full board event payloads.

Additionally, attackers can exploit the response handling mechanism to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing an attacker with integration creation or modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

This can lead to unauthorized access or manipulation of internal services that are normally inaccessible from outside the network.

Furthermore, the attacker can overwrite arbitrary comment text without authorization, potentially leading to misinformation, data integrity issues, or unauthorized content injection within the application.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

As a result, the server issues HTTP POST requests to attacker-controlled internal targets with full board event payloads.

Additionally, attackers can exploit response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing an attacker with integration creation or modification privileges to make the server send HTTP POST requests to internal network addresses, potentially accessing internal services that are not normally exposed.

The attacker can receive full board event payloads, which may include sensitive information.

Furthermore, the attacker can overwrite arbitrary comment text without authorization, potentially leading to misinformation or manipulation of data within the application.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

Specifically, the URL schema field accepts any string without restricting the protocol or validating the destination.

Attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can allow an attacker with integration modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

Such requests include sensitive board event data, potentially exposing internal information.

Moreover, the attacker can overwrite comment text arbitrarily without authorization, which can lead to data integrity issues and unauthorized content manipulation.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

Specifically, the URL schema field accepts any string without restricting the protocol or validating the destination.

An attacker who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to send HTTP POST requests to internal targets controlled by the attacker.

Additionally, the attacker can exploit response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing an attacker with integration modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

This could expose internal services to attacker-controlled payloads, potentially leading to information disclosure or further internal network compromise.

Moreover, the attacker can overwrite comment text arbitrarily without authorization, which could lead to data integrity issues or misinformation within the application.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and is a server-side request forgery (SSRF) issue related to webhook integration URL handling.

The url schema field in webhook integrations accepts any string without restricting the protocol or validating the destination.

Attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can allow attackers to make the server send unauthorized HTTP POST requests to internal network addresses, potentially accessing or interacting with internal services.

Attackers can receive full board event payloads, which may expose sensitive information.

They can also overwrite arbitrary comment text without authorization, which could lead to data integrity issues or misinformation.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

Specifically, the URL schema field accepts any string without restricting the protocol or validating the destination.

As a result, attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

The vulnerability can impact you by allowing an attacker with integration modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

This can lead to unauthorized access or interaction with internal services that are normally protected from external access.

Furthermore, the attacker can overwrite arbitrary comment text without authorization, potentially leading to data integrity issues or misinformation within the application.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and is a server-side request forgery (SSRF) issue related to webhook integration URL handling.

The problem arises because the URL schema field accepts any string without restricting the protocol or validating the destination.

Attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing an attacker with integration modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

This can lead to unauthorized access or interaction with internal systems that are normally protected from external access.

Furthermore, the attacker can overwrite arbitrary comment text without authorization, potentially leading to data integrity issues or misinformation within the application.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and involves a server-side request forgery (SSRF) issue in the webhook integration URL handling.

The url schema field accepts any string without restricting the protocol or validating the destination, allowing attackers who can create or modify integrations to set webhook URLs to internal network addresses.

As a result, the server can be tricked into issuing HTTP POST requests to internal targets controlled by the attacker, including sending full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can impact you by allowing an attacker with integration creation or modification privileges to make the server send unauthorized HTTP POST requests to internal network addresses.

This can lead to unauthorized access or interaction with internal services that are normally protected from external access.

Furthermore, the attacker can overwrite arbitrary comment text without authorization, potentially leading to misinformation, data integrity issues, or unauthorized content injection.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and is a server-side request forgery (SSRF) issue related to webhook integration URL handling.

The url schema field in webhook integrations accepts any string without restricting the protocol or validating the destination.

Attackers who have the ability to create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit the response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can allow attackers to make the server send unauthorized HTTP POST requests to internal network addresses, potentially accessing or interacting with internal services.

Attackers can receive full board event payloads, which may expose sensitive information.

They can also overwrite arbitrary comment text without authorization, leading to data integrity issues or misinformation.

Executive Summary

This vulnerability exists in Wekan versions before 8.35 and is a server-side request forgery (SSRF) issue related to webhook integration URL handling.

The URL schema field in webhook integrations accepts any string without restricting the protocol or validating the destination.

As a result, attackers who can create or modify integrations can set webhook URLs to internal network addresses.

This causes the server to send HTTP POST requests to internal targets controlled by the attacker, including full board event payloads.

Additionally, attackers can exploit response handling to overwrite arbitrary comment text without authorization checks.

Impact Analysis

This vulnerability can allow attackers to make the server send unauthorized HTTP POST requests to internal network addresses, potentially accessing or interacting with internal services.

Attackers can receive full board event payloads, which may expose sensitive information.

They can also overwrite arbitrary comment text without authorization, leading to data integrity issues or misinformation.

Impact Analysis

Attackers can receive full board event payloads, which may expose sensitive information.

Moreover, attackers can overwrite arbitrary comment text without authorization, which could lead to data integrity issues or misinformation within the application.

Hi! I’m here to help you understand CVE-2026-41455. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-41455

Server-Side Request Forgery in WeKan Webhook Integration Allows Unauthorized Data Manipulation

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart