CVE-2026-30844
Published: 06 March 2026
Summary
CVE-2026-30844 is a high-severity SSRF (CWE-918) vulnerability in Wekan Project Wekan. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied attachment URLs from JSON during board import to block SSRF by preventing the server from fetching arbitrary internal resources.
Mandates timely identification, reporting, and correction of the SSRF flaw via patching to Wekan version 8.34 or later.
Monitors and controls outbound communications at system boundaries to restrict SSRF-initiated requests to internal services like metadata endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing app directly enables T1190 exploitation; description explicitly highlights use for cloud metadata access (T1522) to steal IAM creds (T1552.005).
NVD Description
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by…
more
the server without any URL validation or filtering, affecting both the Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs, which are then passed directly to Attachments.load() for download with no sanitization. This Server-Side Request Forgery (SSRF) vulnerability allows any authenticated user to make the server issue arbitrary HTTP requests, potentially accessing internal network services such as cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels that are otherwise unreachable from outside the network. This issue has been fixed in version 8.34.
Deeper analysisAI
CVE-2026-30844 is a Server-Side Request Forgery (SSRF) vulnerability (CWE-918) affecting Wekan, an open-source kanban tool built with Meteor, specifically in versions 8.32 and 8.33. The issue arises during board import processes for both Wekan and Trello flows, where attachment URLs extracted from user-supplied JSON data by the parseActivities() and parseActions() methods are passed directly to Attachments.load() for downloading without any URL validation or filtering. This allows the Wekan server to fetch arbitrary external or internal resources on behalf of the attacker. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Any authenticated user can exploit this vulnerability by importing a maliciously crafted JSON board containing controlled attachment URLs, tricking the server into issuing arbitrary HTTP requests. Successful exploitation enables access to internal network services inaccessible from the public internet, such as cloud instance metadata endpoints that may expose IAM credentials, internal databases, and administrative panels.
The vulnerability has been addressed in Wekan version 8.34, as detailed in the project's GitHub release notes and the specific fix commit. Additional guidance is available in the GitHub Security Lab advisory (GHSL-2026-045_Wekan). Security practitioners should upgrade to version 8.34 or later to mitigate the risk.
Details
- CWE(s)