CVE-2026-53446
Received Received - Intake

Webhook URL SSRF in Wekan

Vulnerability report for CVE-2026-53446, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan webhook integration URLs in models/integrations.js are stored from user input and later fetched by server/notifications/outgoing.js without applying the existing validateAttachmentUrl() private-network checks from models/lib/attachmentUrlValidation.js. A board administrator can configure webhook URLs that cause server-side requests to internal or metadata services. This issue is fixed in version 9.32.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wekan wekan to 9.32 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Wekan is an open-source kanban tool built with Meteor. This vulnerability exists in versions prior to 9.32 where webhook integration URLs, entered by users, are stored without proper validation. The server later fetches these URLs without applying checks meant to prevent access to internal or metadata services. This allows a board administrator to configure malicious webhook URLs that could lead to unauthorized server-side requests to sensitive services.

Impact Analysis

An attacker with board administrator privileges could exploit this to make the server send requests to internal systems or metadata services. This could expose sensitive data, enable further attacks on internal infrastructure, or allow unauthorized access to services. The impact depends on the server's network configuration and the services it can access.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR's data protection principles or HIPAA's security requirements. If exploited, it may result in data breaches, unauthorized data exposure, or loss of control over personal health information, potentially leading to legal penalties and compliance violations.

Detection Guidance

Check Wekan version for versions prior to 9.32. Inspect webhook URLs configured in Wekan for unusual internal or metadata service endpoints. Review server-side requests made by outgoing.js for unexpected connections to private networks.

Mitigation Strategies

Upgrade Wekan to version 9.32 or later immediately. Review and remove any suspicious webhook URLs configured by board administrators. Monitor network traffic for unexpected internal or metadata service requests originating from Wekan.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53446. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart