CVE-2026-32255

Name of the Vulnerable Software and Affected Versions Kan versions 0.5.4 and below

Description Kan is an open-source project management tool. Versions 0.5.4 and below lack authentication and URL validation in the /api/download/attatchment endpoint. This endpoint accepts a user-supplied URL query parameter, passes it directly to the fetch() function server-side, and returns the full response body. An unauthenticated attacker can leverage this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This is a Server-Side Request Forgery (SSRF) issue.

Recommendations Versions prior to 0.5.5 should be updated to version 0.5.5 or later. Block or restrict access to the /api/download/attatchment endpoint at the reverse proxy level (nginx, Cloudflare, etc.).