CVE-2026-41455
Published: 22 April 2026
Summary
CVE-2026-41455 is a medium-severity SSRF (CWE-918) vulnerability. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exfiltration Over Webhook (T1567.004); ranked at the 14.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-41455 is a server-side request forgery (SSRF) vulnerability, classified as CWE-918, affecting WeKan versions before 8.35. The flaw exists in the webhook integration URL handling, where the URL schema field accepts any string without protocol restrictions or destination validation, enabling unauthorized internal network interactions.
Attackers with low privileges (PR:L) who can create or modify integrations may exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). They can configure webhook URLs to target internal network addresses under their control, prompting the WeKan server to send HTTP POST requests containing full board event payloads and achieving high confidentiality impact (C:H) through data exfiltration. Additionally, response handling can be abused to overwrite arbitrary comment text without authorization checks, yielding limited integrity impact (I:L) in a changed scope (S:C), as reflected in the CVSS v3.1 score of 8.5.
Mitigation is addressed in WeKan 8.35, per the release notes and fixing commit 2cd702f48df2b8aef0e7381685f8e089986a18a4. Additional details on the vulnerability and remediation are available in the Vulncheck advisory.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25118
Vulnerability details
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to…
more
internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in webhook URL handling allows low-priv users to set arbitrary destinations, causing the server to automatically send board event payloads via HTTP POST for exfiltration to attacker-controlled endpoints.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces policy-based restrictions on information flows, directly blocking the server from issuing HTTP requests to arbitrary internal destinations via webhook URLs.
Requires validation of all input fields, preventing acceptance of unrestricted URL schemes and internal target addresses in webhook integrations.
Enforces authorization checks before allowing modifications such as overwriting comment text or creating integrations that trigger SSRF.