{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/wekan/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-41454"}],"_cs_exploited":false,"_cs_products":["WeKan"],"_cs_severities":["high"],"_cs_tags":["wekan","missing-authorization","rest-api","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["WeKan"],"content_html":"\u003cp\u003eWeKan, a collaborative Kanban board application, is vulnerable to a missing authorization issue in versions prior to 8.35. This flaw resides within the Integration REST API endpoints, where authenticated board members can execute administrative actions without sufficient privilege validation.  An attacker, if they are an authenticated user, can exploit this vulnerability to enumerate integrations, including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities. The root cause is insufficient authorization checks within the JsonRoutes REST handlers. Successful exploitation can lead to unauthorized access to sensitive information and modification of board configurations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials for a WeKan board member account.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the WeKan application via the standard login procedure.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a crafted HTTP request to the \u003ccode\u003e/api/integration\u003c/code\u003e endpoint without proper administrative privileges.\u003c/li\u003e\n\u003cli\u003eDue to missing authorization checks, the request is processed, and the attacker is able to enumerate existing integrations, including sensitive webhook URLs.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts another HTTP request to the \u003ccode\u003e/api/integration\u003c/code\u003e endpoint to create a new, malicious integration (e.g., a webhook that sends data to an external attacker-controlled server).\u003c/li\u003e\n\u003cli\u003eThe attacker modifies existing integrations to redirect data flow to attacker-controlled endpoints.\u003c/li\u003e\n\u003cli\u003eThe attacker deletes legitimate integrations, disrupting board functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker manages integration activities, potentially triggering malicious actions or gaining further information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to perform administrative actions on WeKan boards without proper authorization. This can lead to the exposure of sensitive webhook URLs, unauthorized modification or deletion of integrations, and the creation of malicious integrations for data exfiltration or disruption. The CVSS v3.1 score of 8.3 indicates a high severity vulnerability with significant potential for data compromise and system impact. The number of affected WeKan installations is currently unknown, but organizations using WeKan for project management and collaboration are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WeKan to version 8.35 or later to patch CVE-2026-41454, addressing the missing authorization vulnerability as detailed in the \u003ca href=\"#references\"\u003ereference links\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect WeKan Integration API Abuse\u0026rdquo; to identify potential exploitation attempts against the Integration REST API endpoints, monitoring webserver logs for unusual API requests.\u003c/li\u003e\n\u003cli\u003eReview and restrict access rights for WeKan board members, ensuring that only authorized personnel have administrative privileges to minimize the attack surface as outlined in the \u003ca href=\"#overview\"\u003eoverview\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for requests to \u003ccode\u003e/api/integration\u003c/code\u003e with methods like POST, PUT, and DELETE originating from non-admin users.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-23T10:00:00Z","date_published":"2026-04-23T10:00:00Z","id":"/briefs/2026-04-wekan-missing-auth/","summary":"WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints, allowing authenticated board members to perform administrative actions without proper privilege verification, potentially leading to unauthorized data access and modification.","title":"WeKan Missing Authorization Vulnerability in Integration REST API","url":"https://feed.craftedsignal.io/briefs/2026-04-wekan-missing-auth/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.5,"id":"CVE-2026-41455"}],"_cs_exploited":false,"_cs_products":["WeKan"],"_cs_severities":["high"],"_cs_tags":["ssrf","wekan","cve-2026-41455"],"_cs_type":"advisory","_cs_vendors":["WeKan"],"content_html":"\u003cp\u003eWeKan, a popular open-source kanban board application, is susceptible to a server-side request forgery (SSRF) vulnerability in versions prior to 8.35. This flaw resides in the handling of webhook integration URLs, where insufficient validation allows attackers to specify arbitrary internal network addresses as webhook targets. An attacker with the ability to create or modify integrations within WeKan can exploit this vulnerability. By crafting a malicious webhook URL, they can force the WeKan server to issue HTTP POST requests to attacker-controlled internal targets, potentially exposing sensitive internal resources and data. This vulnerability can also be chained with another flaw to overwrite arbitrary comment text without authorization checks, increasing the potential for data manipulation and unauthorized access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains access to a WeKan account with privileges to create or modify integrations.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the webhook integration settings within a WeKan board.\u003c/li\u003e\n\u003cli\u003eThe attacker enters a malicious URL pointing to an internal server (e.g., \u003ccode\u003ehttp://internal.example.com/admin\u003c/code\u003e) in the webhook URL field.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers an event on the WeKan board (e.g., creating a new card, moving a card).\u003c/li\u003e\n\u003cli\u003eThe WeKan server, without proper validation, sends an HTTP POST request to the attacker-specified internal URL.\u003c/li\u003e\n\u003cli\u003eThe internal server receives the request, potentially revealing sensitive information about the WeKan board and its contents.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits response handling to overwrite arbitrary comment text without authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to internal resources or sensitive data through the SSRF vulnerability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows attackers to potentially access internal network resources that are otherwise inaccessible from the outside. This could lead to the disclosure of sensitive information, such as internal application configurations, database credentials, or other confidential data. Furthermore, the ability to overwrite arbitrary comment text can be used to deface WeKan boards, spread misinformation, or disrupt normal operations. The CVSS v3.1 base score for this vulnerability is 8.5, indicating a high severity risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade WeKan to version 8.35 or later to remediate CVE-2026-41455.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of potential SSRF attacks.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetectSuspiciousWekanWebhookUrls\u003c/code\u003e to identify attempts to exploit this vulnerability by monitoring for requests to internal IP addresses or unusual domains.\u003c/li\u003e\n\u003cli\u003eEnable web server logging for the WeKan instance to capture details of outgoing HTTP requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-wekan-ssrf/","summary":"WeKan before 8.35 is vulnerable to server-side request forgery (SSRF), allowing attackers with integration modification privileges to set webhook URLs to internal network addresses, leading to unauthorized HTTP POST requests and potential comment manipulation.","title":"WeKan SSRF Vulnerability in Webhook Integration","url":"https://feed.craftedsignal.io/briefs/2024-01-02-wekan-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Wekan","version":"https://jsonfeed.org/version/1.1"}