Server-Side Request Forgery Vulnerability in Wekan by Wekan
CVE-2026-53446
6.2MEDIUM
What is CVE-2026-53446?
Wekan, an open-source kanban tool built with Meteor, has a server-side request forgery vulnerability in its webhook integration component. Prior to version 9.32, the application allowed board administrators to configure webhook URLs based on user input. These URLs were then processed by the server without adequate validation checks, potentially enabling attackers to initiate requests to internal or metadata services. This security flaw highlights the importance of implementing thorough validation for user-supplied data to prevent unauthorized access and protect sensitive environments. The issue has been addressed in version 9.32.
Affected Version(s)
wekan < 9.32
