PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41455 wekan CVE debrief

CVE-2026-41455 documents a server-side request forgery (SSRF) vulnerability in WeKan versions prior to 8.35, published by NVD on 2026-04-22 and last modified on 2026-05-26. The flaw resides in webhook integration URL handling, where the URL scheme field accepts arbitrary strings without protocol restriction or destination validation. Attackers with permissions to create or modify integrations can configure webhook URLs pointing to internal network addresses, causing the WeKan server to issue HTTP POST requests to attacker-controlled internal targets. These requests carry full board event payloads. Additionally, the vulnerability permits exploitation of response handling to overwrite arbitrary comment text without proper authorization checks. The CVSS 4.0 vector indicates network attack vector, low attack complexity, low privileges required, and impacts to system confidentiality and integrity. CWE-918 (Server-Side Request Forgery) is identified as the weakness type. Remediation is available in WeKan version 8.35, released 2026-04-22.

Vendor
wekan
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-05-26
Advisory published
2026-04-22
Advisory updated
2026-05-26

Who should care

Organizations operating WeKan instances with webhook integrations enabled, particularly those in multi-tenant environments or with sensitive internal network resources. Security teams responsible for SSRF prevention and API security posture management.

Technical summary

The vulnerability stems from insufficient input validation on the webhook URL scheme field, permitting arbitrary protocol strings and internal addresses. The WeKan server executes HTTP POST requests to these URLs when board events occur, transmitting event payloads. Response processing lacks authorization checks, enabling attackers to manipulate returned data to overwrite comment text. The attack requires low-privileged access to create or modify integrations, with no user interaction needed.

Defensive priority

medium

Recommended defensive actions

  • Upgrade WeKan to version 8.35 or later to address the SSRF vulnerability in webhook integration handling
  • Review and audit existing webhook integrations for unauthorized internal network URLs
  • Implement network segmentation to restrict WeKan server outbound connectivity to trusted destinations only
  • Apply principle of least privilege for integration management permissions
  • Monitor webhook response processing for unexpected comment modifications

Evidence notes

Vulnerability description and CVSS vector sourced from NVD record. Vendor identification derived from reference domain analysis (GitHub wekan/wekan repository, Vulncheck advisory). Fix version 8.35 confirmed via GitHub release tag. CWE-918 classification from Vulncheck disclosure source.

Official resources

2026-04-22T22:16:32.677Z