Cyber Resilience

CVE-2026-30844

Critical

Published: 06 March 2026

Published
06 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.3th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-30844 is a critical-severity SSRF (CWE-918) vulnerability in Wekan Project Wekan. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-30844 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting Wekan, an open-source kanban tool built with Meteor, specifically in versions 8.32 and 8.33. The issue arises during board import processes for both Wekan and Trello flows, where attachment URLs extracted from user-supplied JSON data by the parseActivities() and parseActions() methods are passed directly to Attachments.load() for downloading without any URL validation or filtering. This allows the Wekan server to fetch arbitrary external or internal resources on behalf of the attacker. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Any authenticated user can exploit this vulnerability by importing a maliciously crafted JSON board containing controlled attachment URLs, tricking the server into issuing arbitrary HTTP requests. Successful exploitation enables access to internal network services inaccessible from the public internet, such as cloud instance metadata endpoints that may expose IAM credentials, internal databases, and administrative panels.

The vulnerability has been addressed in Wekan version 8.34, as detailed in the project's GitHub release notes and the specific fix commit. Additional guidance is available in the GitHub Security Lab advisory (GHSL-2026-045_Wekan). Security practitioners should upgrade to version 8.34 or later to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by…

more

the server without any URL validation or filtering, affecting both the Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs, which are then passed directly to Attachments.load() for download with no sanitization. This Server-Side Request Forgery (SSRF) vulnerability allows any authenticated user to make the server issue arbitrary HTTP requests, potentially accessing internal network services such as cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels that are otherwise unreachable from outside the network. This issue has been fixed in version 8.34.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in public-facing app directly enables T1190 exploitation; description explicitly highlights use for cloud metadata access (T1522) to steal IAM creds (T1552.005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1962Same product: Wekan Project Wekan
CVE-2026-25563Same product: Wekan Project Wekan
CVE-2026-30845Same product: Wekan Project Wekan
CVE-2026-25560Same product: Wekan Project Wekan
CVE-2026-30846Same product: Wekan Project Wekan
CVE-2026-25564Same product: Wekan Project Wekan
CVE-2026-25859Same product: Wekan Project Wekan
CVE-2026-25561Same product: Wekan Project Wekan
CVE-2026-1963Same product: Wekan Project Wekan
CVE-2026-2206Same product: Wekan Project Wekan

Affected Assets

wekan project
wekan
8.32, 8.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of user-supplied attachment URLs from JSON during board import to block SSRF by preventing the server from fetching arbitrary internal resources.

prevent

Mandates timely identification, reporting, and correction of the SSRF flaw via patching to Wekan version 8.34 or later.

prevent

Monitors and controls outbound communications at system boundaries to restrict SSRF-initiated requests to internal services like metadata endpoints.

References