Platform
nodejs
Component
kan
Fixed in
0.5.6
CVE-2026-32255 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Kan, an open-source project management tool. This vulnerability allows an unauthenticated attacker to initiate HTTP requests from the Kan server to arbitrary internal or external resources. The issue impacts versions 0.5.4 and earlier, and a fix is available in version 0.5.5. Immediate action is recommended to prevent potential data exposure and unauthorized access.
The SSRF vulnerability in Kan allows attackers to bypass security controls and interact with internal systems that are not directly accessible from the outside world. An attacker could leverage this to access sensitive data stored on internal servers, such as configuration files, database credentials, or even internal APIs. Furthermore, they could potentially interact with cloud metadata endpoints to retrieve AWS IAM credentials or other cloud-specific secrets. The lack of authentication makes this vulnerability particularly concerning, as any unauthenticated user can trigger the SSRF. This could lead to significant data breaches and compromise of internal infrastructure.
CVE-2026-32255 was publicly disclosed on 2026-03-18. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's ease of exploitation suggests that it could become a target for opportunistic attackers. The lack of authentication significantly increases the risk of exploitation.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
The primary mitigation for CVE-2026-32255 is to upgrade Kan to version 0.5.5 or later, which includes the necessary fix. If upgrading is not immediately feasible, a temporary workaround is to block or restrict access to the /api/download/attatchment endpoint. This can be achieved through a Web Application Firewall (WAF), proxy server, or network firewall rules. Ensure that any firewall rules are properly configured to prevent bypasses. After upgrading, confirm the fix by attempting to access the /api/download/attatchment endpoint with a known malicious URL; the request should be rejected.
Update Kan to version 0.5.5 or higher. Alternatively, block or restrict access to the /api/download/attatchment endpoint on your reverse proxy (nginx, Cloudflare, etc.). This will prevent unauthenticated attackers from exploiting the SSRF vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32255 is a HIGH severity SSRF vulnerability in Kan versions 0.5.4 and below, allowing unauthenticated attackers to make HTTP requests from the server to internal resources.
You are affected if you are using Kan version 0.5.4 or earlier. Upgrade to version 0.5.5 to resolve the vulnerability.
Upgrade Kan to version 0.5.5. As a temporary workaround, block access to the /api/download/attatchment endpoint.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the Kan project's official website and GitHub repository for updates and advisories related to CVE-2026-32255.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.