Description

Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).

INFO

Published Date :

2026-03-18T23:11:36.892Z

Last Modified :

2026-03-19T16:11:00.489Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32255 vulnerability.

Vendors Products
Kan
  • Kan
Kanbn
  • Kan
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32255.

URL Resource
https://github.com/kanbn/kan/commit/53397d8e81dc1494d94132848c1f0416f1152bd7 cve-icon cve-icon
https://github.com/kanbn/kan/releases/tag/v0.5.5 cve-icon cve-icon
https://github.com/kanbn/kan/security/advisories/GHSA-qrx8-9hc6-jvqg cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact