CVE-2026-32255HIGH 8.6EPSS p95.0%

CVE-2026-32255CVE-2026-32255

Description

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS10.07% probability of exploitation · percentile 95.0% · 2026-06-19T12:03:05Z
Published2026-03-19
Last modified2026-03-19

Underlying weaknesses· 1

CWE-918

References

  1. https://github.com/kanbn/kan/commit/53397d8e81dc1494d94132848c1f0416f1152bd7
  2. https://github.com/kanbn/kan/releases/tag/v0.5.5
  3. https://github.com/kanbn/kan/security/advisories/GHSA-qrx8-9hc6-jvqg

1

TypeTargetConfidenceTier
WeaknessServer-Side Request Forgery (SSRF)cwe-9180%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-1963
CVE
CVE-2025-52560
CVE
CVE-2026-25924
CVE
CVE-2026-1962
CVE
CVE-2026-21881
CVE
CVE-2025-65778
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.