CVE-2026-32255
Published: 19 March 2026
Summary
CVE-2026-32255 is a high-severity SSRF (CWE-918) vulnerability in Kan Kan. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the lack of URL validation by requiring validation of user-supplied URL inputs before passing them to fetch().
Enforces authentication and authorization on the /api/download/attatchment endpoint to block unauthenticated access.
Controls outbound information flows from the server to prevent requests to arbitrary internal or private destinations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in unauthenticated public endpoint directly enables T1190 exploitation of public-facing app; description explicitly calls out forced requests to cloud metadata APIs, enabling T1522 discovery and T1552.005 credential theft from instance metadata.
NVD Description
Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and…
more
returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).
Deeper analysisAI
CVE-2026-32255 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Kan, an open-source project management tool, in versions 0.5.4 and below. The issue lies in the /api/download/attatchment endpoint, which performs no authentication checks and lacks URL validation. This endpoint accepts a user-supplied URL via a query parameter, passes it directly to the server's fetch() function, and returns the full response body to the caller.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting requests to the endpoint, attackers can force the Kan server to issue HTTP requests to arbitrary destinations, such as internal services, cloud metadata endpoints (e.g., on AWS, Azure, or GCP), or other private network resources. The CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) underscores the high confidentiality impact achievable in a cross-scope attack scenario.
The vulnerability has been fixed in Kan version 0.5.5. As a workaround prior to upgrading, block or restrict access to the /api/download/attatchment endpoint at the reverse proxy level using tools like nginx or Cloudflare. Additional details are available in the GitHub security advisory (GHSA-qrx8-9hc6-jvqg), the patching commit (53397d8e81dc1494d94132848c1f0416f1152bd7), and the v0.5.5 release notes.
Details
- CWE(s)