Server-Side Request Forgery Vulnerability in Wekan by Wekan
CVE-2026-53446

6.2MEDIUM

Key Information:

Vendor

Wekan

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-53446?

Wekan, an open-source kanban tool built with Meteor, has a server-side request forgery vulnerability in its webhook integration component. Prior to version 9.32, the application allowed board administrators to configure webhook URLs based on user input. These URLs were then processed by the server without adequate validation checks, potentially enabling attackers to initiate requests to internal or metadata services. This security flaw highlights the importance of implementing thorough validation for user-supplied data to prevent unauthorized access and protect sensitive environments. The issue has been addressed in version 9.32.

Affected Version(s)

wekan < 9.32

References

CVSS V4

Score:
6.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.