WeKan SSRF Vulnerability in Webhook Integration

WeKan, a popular open-source kanban board application, is susceptible to a server-side request forgery (SSRF) vulnerability in versions prior to 8.35. This flaw resides in the handling of webhook integration URLs, where insufficient validation allows attackers to specify arbitrary internal network addresses as webhook targets. An attacker with the ability to create or modify integrations within WeKan can exploit this vulnerability. By crafting a malicious webhook URL, they can force the WeKan server to issue HTTP POST requests to attacker-controlled internal targets, potentially exposing sensitive internal resources and data. This vulnerability can also be chained with another flaw to overwrite arbitrary comment text without authorization checks, increasing the potential for data manipulation and unauthorized access.

Attack Chain

1. An attacker gains access to a WeKan account with privileges to create or modify integrations.
2. The attacker navigates to the webhook integration settings within a WeKan board.
3. The attacker enters a malicious URL pointing to an internal server (e.g., http://internal.example.com/admin) in the webhook URL field.
4. The attacker triggers an event on the WeKan board (e.g., creating a new card, moving a card).
5. The WeKan server, without proper validation, sends an HTTP POST request to the attacker-specified internal URL.
6. The internal server receives the request, potentially revealing sensitive information about the WeKan board and its contents.
7. The attacker exploits response handling to overwrite arbitrary comment text without authorization checks.
8. The attacker gains unauthorized access to internal resources or sensitive data through the SSRF vulnerability.

Impact

Successful exploitation of this SSRF vulnerability allows attackers to potentially access internal network resources that are otherwise inaccessible from the outside. This could lead to the disclosure of sensitive information, such as internal application configurations, database credentials, or other confidential data. Furthermore, the ability to overwrite arbitrary comment text can be used to deface WeKan boards, spread misinformation, or disrupt normal operations. The CVSS v3.1 base score for this vulnerability is 8.5, indicating a high severity risk.

Recommendation

• Upgrade WeKan to version 8.35 or later to remediate CVE-2026-41455.
• Implement network segmentation to limit the impact of potential SSRF attacks.
• Deploy the Sigma rule DetectSuspiciousWekanWebhookUrls to identify attempts to exploit this vulnerability by monitoring for requests to internal IP addresses or unusual domains.
• Enable web server logging for the WeKan instance to capture details of outgoing HTTP requests.