Server-Side Request Forgery Vulnerability in Wekan by Wekan
CVE-2026-30844

9.3CRITICAL

Key Information:

Vendor

Wekan

Status
Wekan
Vendor
CVE Published:
6 March 2026

What is CVE-2026-30844?

Wekan, the open-source kanban tool, has a severe vulnerability allowing Server-Side Request Forgery (SSRF) in versions 8.32 and 8.33. The vulnerability arises from the way attachment URLs are handled during board imports. User-supplied JSON data can include attachment URLs, which the server fetches without any validation or filtering, leading to the potential exposure of internal network services and sensitive information. Specifically, any authenticated user could exploit this flaw to initiate arbitrary HTTP requests from the server, potentially allowing unauthorized access to confidential data such as cloud instance metadata and admin controls. This vulnerability has been resolved in version 8.34.

Affected Version(s)

Wekan >= 8.32, < 8.34

References

https://securitylab.github.com/advisories/GHSL-2026-045_W...
x_refsource_CONFIRM
https://github.com/wekan/wekan/commit/62216e36c15f55d4ef6...
x_refsource_MISC
https://github.com/wekan/wekan/releases/tag/v8.34
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.