CVE-2026-41455

WeKan < 8.35 SSRF via Webhook URL

Assigner: VulnCheck
Reserved: 20.04.2026 Published: 22.04.2026 Updated: 22.04.2026

WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the url schema field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:L/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	High
Attack Complexity	Low	Integrity	Low	Integrity	Low
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	Low
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CVSS Score: 8.5

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	wekan
Product	wekan
Versions	Default: unaffected affected from 0 to 8.35.0 (excl.) Version 2cd702f48df2b8aef0e7381685f8e089986a18a4 is unaffected

Vendor

wekan

Product

wekan

Versions

Default: unaffected

affected from 0 to 8.35.0 (excl.)
Version 2cd702f48df2b8aef0e7381685f8e089986a18a4 is unaffected

Credits

Rodolphe GHIO finder
xet7 remediation developer

References

Problem Types