Cyber Resilience

CVE-2026-41455

MediumPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-41455 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exfiltration Over Webhook (T1567.004); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-41455 is a server-side request forgery (SSRF) vulnerability, classified as CWE-918, affecting WeKan versions before 8.35. The flaw exists in the webhook integration URL handling, where the URL schema field accepts any string without protocol restrictions or destination validation, enabling unauthorized internal network interactions.

Attackers with low privileges (PR:L) who can create or modify integrations may exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). They can configure webhook URLs to target internal network addresses under their control, prompting the WeKan server to send HTTP POST requests containing full board event payloads and achieving high confidentiality impact (C:H) through data exfiltration. Additionally, response handling can be abused to overwrite arbitrary comment text without authorization checks, yielding limited integrity impact (I:L) in a changed scope (S:C), as reflected in the CVSS v3.1 score of 8.5.

Mitigation is addressed in WeKan 8.35, per the release notes and fixing commit 2cd702f48df2b8aef0e7381685f8e089986a18a4. Additional details on the vulnerability and remediation are available in the Vulncheck advisory.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to…

more

internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1567.004 Exfiltration Over Webhook Exfiltration
Adversaries may exfiltrate data to a webhook endpoint rather than over their primary command and control channel.
Why these techniques?

SSRF in webhook URL handling allows low-priv users to set arbitrary destinations, causing the server to automatically send board event payloads via HTTP POST for exfiltration to attacker-controlled endpoints.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41060Shared CWE-918
CVE-2026-33039Shared CWE-918
CVE-2024-13195Shared CWE-918
CVE-2026-0613Shared CWE-918
CVE-2026-5052Shared CWE-918
CVE-2025-59503Shared CWE-918
CVE-2025-56589Shared CWE-918
CVE-2025-58045Shared CWE-918
CVE-2025-22399Shared CWE-918
CVE-2025-69299Shared CWE-918

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces policy-based restrictions on information flows, directly blocking the server from issuing HTTP requests to arbitrary internal destinations via webhook URLs.

prevent

Requires validation of all input fields, preventing acceptance of unrestricted URL schemes and internal target addresses in webhook integrations.

prevent

Enforces authorization checks before allowing modifications such as overwriting comment text or creating integrations that trigger SSRF.

References