プラットフォーム
nodejs
コンポーネント
kan
修正版
0.5.6
CVE-2026-32255 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Kan, an open-source project management tool. This vulnerability allows an unauthenticated attacker to initiate HTTP requests from the Kan server to arbitrary internal or external resources. The issue impacts versions 0.5.4 and earlier, and a fix is available in version 0.5.5. Immediate action is recommended to prevent potential data exposure and unauthorized access.
The SSRF vulnerability in Kan allows attackers to bypass security controls and interact with internal systems that are not directly accessible from the outside world. An attacker could leverage this to access sensitive data stored on internal servers, such as configuration files, database credentials, or even internal APIs. Furthermore, they could potentially interact with cloud metadata endpoints to retrieve AWS IAM credentials or other cloud-specific secrets. The lack of authentication makes this vulnerability particularly concerning, as any unauthenticated user can trigger the SSRF. This could lead to significant data breaches and compromise of internal infrastructure.
CVE-2026-32255 was publicly disclosed on 2026-03-18. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's ease of exploitation suggests that it could become a target for opportunistic attackers. The lack of authentication significantly increases the risk of exploitation.
Organizations using Kan for project management, particularly those with internal services or cloud resources accessible from the Kan server, are at risk. Shared hosting environments where Kan is deployed could be particularly vulnerable, as a compromised account on one instance could potentially exploit the SSRF on other instances.
• nodejs / server: Monitor access logs for requests to /api/download/attatchment with unusual or unexpected URL query parameters.
grep '/api/download/attatchment' access.log | grep -i 'http:'• generic web: Use curl to test the endpoint with a known internal IP address or cloud metadata endpoint.
curl -v http://<kan_server_ip>/api/download/attatchment?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/disclosure
エクスプロイト状況
EPSS
0.05% (17% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-32255 is to upgrade Kan to version 0.5.5 or later, which includes the necessary fix. If upgrading is not immediately feasible, a temporary workaround is to block or restrict access to the /api/download/attatchment endpoint. This can be achieved through a Web Application Firewall (WAF), proxy server, or network firewall rules. Ensure that any firewall rules are properly configured to prevent bypasses. After upgrading, confirm the fix by attempting to access the /api/download/attatchment endpoint with a known malicious URL; the request should be rejected.
Kan をバージョン 0.5.5 以降にアップデートしてください。代替案として、リバースプロキシ (nginx, Cloudflare など) で /api/download/attatchment エンドポイントへのアクセスをブロックまたは制限してください。これにより、認証されていない攻撃者が SSRF 脆弱性を悪用することを防ぐことができます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-32255 is a HIGH severity SSRF vulnerability in Kan versions 0.5.4 and below, allowing unauthenticated attackers to make HTTP requests from the server to internal resources.
You are affected if you are using Kan version 0.5.4 or earlier. Upgrade to version 0.5.5 to resolve the vulnerability.
Upgrade Kan to version 0.5.5. As a temporary workaround, block access to the /api/download/attatchment endpoint.
There is currently no evidence of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the Kan project's official website and GitHub repository for updates and advisories related to CVE-2026-32255.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。