Login Sign Up

CVE-2026-32255

8.6 HIGH
Authentication Bypass SSRF

📋 TL;DR

This CVE describes a server-side request forgery (SSRF) vulnerability in Kan project management tool versions 0.5.4 and below. Unauthenticated attackers can exploit the /api/download/attatchment endpoint to make arbitrary HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. All deployments running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Kan project management tool
Versions: 0.5.4 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments with the vulnerable endpoint accessible are affected regardless of configuration.

📦 What is this software?

Kan by Kan

View all CVEs affecting Kan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of internal infrastructure, cloud metadata theft leading to cloud account takeover, or lateral movement to sensitive internal systems.

🟠

Likely Case

Information disclosure from internal services, enumeration of internal network resources, or access to cloud metadata.

🟢

If Mitigated

Limited impact if proper network segmentation and cloud metadata protections are in place, but still exposes internal services.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple HTTP request manipulation required, no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.5

Vendor Advisory: https://github.com/kanbn/kan/security/advisories/GHSA-qrx8-9hc6-jvqg

Restart Required: Yes

Instructions:

1. Stop the Kan service. 2. Update to version 0.5.5 using your package manager or by downloading from GitHub releases. 3. Restart the Kan service.

🔧 Temporary Workarounds

Block vulnerable endpoint at reverse proxy

all

Block or restrict access to /api/download/attatchment endpoint at reverse proxy level

# Example nginx configuration
location /api/download/attatchment {
    deny all;
    return 403;
}

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Kan server from internal resources
  • Deploy cloud metadata protection controls and disable metadata service where possible

🔍 How to Verify

Check if Vulnerable:

Check if Kan version is 0.5.4 or below and test if /api/download/attatchment endpoint accepts arbitrary URLs without authentication.

Check Version:

Check package.json or run 'npm list kan' if installed via npm

Verify Fix Applied:

Verify Kan version is 0.5.5 or above and test that /api/download/attatchment endpoint now requires authentication and validates URLs.

📡 Detection & Monitoring

Log Indicators:

  • Unusual requests to /api/download/attatchment with external or internal URLs
  • Multiple failed authentication attempts if authentication was bypassed

Network Indicators:

  • Outbound HTTP requests from Kan server to internal IP ranges or cloud metadata endpoints
  • Unusual traffic patterns from Kan server

SIEM Query:

source="kan_logs" AND (uri="/api/download/attatchment" OR url_contains="metadata")

📊 Metadata

CVE ID: CVE-2026-32255
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-918
Published: March 19, 2026
Last Updated: March 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-32255, you might also want to check these:

CVE-2018-14721 10.0

CVE-2018-14721 is a Server-Side Request Forgery (SSRF) vulnerability in FasterXML jackson-databind v...

Same vulnerability type (CWE-918)
CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2019-13020 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Tightrope Media Carousel's ...

Same vulnerability type (CWE-918)