CVE-2026-30844

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or filtering, affecting both the Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs, which are then passed directly to Attachments.load() for download with no sanitization. This Server-Side Request Forgery (SSRF) vulnerability allows any authenticated user to make the server issue arbitrary HTTP requests, potentially accessing internal network services such as cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels that are otherwise unreachable from outside the network. This issue has been fixed in version 8.34.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/wekan/wekan/commit/62216e36c15f55d4ef6cb97313db3aa54fc77fe0	Patch
https://github.com/wekan/wekan/releases/tag/v8.34	Release Notes
https://securitylab.github.com/advisories/GHSL-2026-045_Wekan/	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wekan_project:wekan:8.32:::::::*
	cpe:2.3:a:wekan_project:wekan:8.33:::::::*

History

No history.

Information

Published : 2026-03-06 20:16

Updated : 2026-03-11 14:56

NVD link : CVE-2026-30844

Mitre link : CVE-2026-30844

CVE.ORG link : CVE-2026-30844

JSON object : View

Products Affected

wekan_project

wekan

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-30844", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T20:16:17.030", "references": [{"url": "https://github.com/wekan/wekan/commit/62216e36c15f55d4ef6cb97313db3aa54fc77fe0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wekan/wekan/releases/tag/v8.34", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2026-045_Wekan/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or filtering, affecting both the Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs, which are then passed directly to Attachments.load() for download with no sanitization. This Server-Side Request Forgery (SSRF) vulnerability allows any authenticated user to make the server issue arbitrary HTTP requests, potentially accessing internal network services such as cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels that are otherwise unreachable from outside the network. This issue has been fixed in version 8.34."}, {"lang": "es", "value": "Wekan es una herramienta kanban de c\u00f3digo abierto construida con Meteor. Las versiones 8.32 y 8.33 son vulnerables a la falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) a trav\u00e9s de la carga de URL de adjuntos. Durante la importaci\u00f3n de tableros en Wekan, las URL de adjuntos de datos JSON proporcionados por el usuario son obtenidas directamente por el servidor sin ninguna validaci\u00f3n o filtrado de URL, afectando tanto a los flujos de importaci\u00f3n de Wekan como de Trello. Los m\u00e9todos parseActivities() y parseActions() extraen URL de adjuntos controladas por el usuario, las cuales son luego pasadas directamente a Attachments.load() para su descarga sin sanitizaci\u00f3n. Esta vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) permite a cualquier usuario autenticado hacer que el servidor emita peticiones HTTP arbitrarias, potencialmente accediendo a servicios de red internos como puntos finales de metadatos de instancias en la nube (exponiendo credenciales IAM), bases de datos internas y paneles de administraci\u00f3n que de otro modo ser\u00edan inalcanzables desde fuera de la red. Este problema ha sido solucionado en la versi\u00f3n 8.34."}], "lastModified": "2026-03-11T14:56:52.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wekan_project:wekan:8.32:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49FD24D6-7487-4971-B679-E8CB7EF29A64"}, {"criteria": "cpe:2.3:a:wekan_project:wekan:8.33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24B3EEBA-2A0C-4A5A-B07A-13219B4E03D8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}