Cyber Resilience

CVE-2026-32255

High

Published: 19 March 2026

Published
19 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.1007 95.0th percentile
Risk Priority 60 floored blend · peak EPSS

Summary

CVE-2026-32255 is a high-severity SSRF (CWE-918) vulnerability in Kan Kan. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-32255 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Kan, an open-source project management tool, in versions 0.5.4 and below. The issue lies in the /api/download/attatchment endpoint, which performs no authentication checks and lacks URL validation. This endpoint accepts a user-supplied URL via a query parameter, passes it directly to the server's fetch() function, and returns the full response body to the caller.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting requests to the endpoint, attackers can force the Kan server to issue HTTP requests to arbitrary destinations, such as internal services, cloud metadata endpoints (e.g., on AWS, Azure, or GCP), or other private network resources. The CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) underscores the high confidentiality impact achievable in a cross-scope attack scenario.

The vulnerability has been fixed in Kan version 0.5.5. As a workaround prior to upgrading, block or restrict access to the /api/download/attatchment endpoint at the reverse proxy level using tools like nginx or Cloudflare. Additional details are available in the GitHub security advisory (GHSA-qrx8-9hc6-jvqg), the patching commit (53397d8e81dc1494d94132848c1f0416f1152bd7), and the v0.5.5 release notes.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and…

more

returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF in unauthenticated public endpoint directly enables T1190 exploitation of public-facing app; description explicitly calls out forced requests to cloud metadata APIs, enabling T1522 discovery and T1552.005 credential theft from instance metadata.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33039Shared CWE-918
CVE-2026-33351Shared CWE-918
CVE-2025-54122Shared CWE-918
CVE-2026-25545Shared CWE-918
CVE-2026-41905Shared CWE-918
CVE-2025-50180Shared CWE-918
CVE-2026-28423Shared CWE-918
CVE-2026-42595Shared CWE-918
CVE-2025-8085Shared CWE-918
CVE-2026-31017Shared CWE-918

Affected Assets

kan
kan
≤ 0.5.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the lack of URL validation by requiring validation of user-supplied URL inputs before passing them to fetch().

prevent

Enforces authentication and authorization on the /api/download/attatchment endpoint to block unauthenticated access.

prevent

Controls outbound information flows from the server to prevent requests to arbitrary internal or private destinations.

References