Home / Vulnerability Intelligence / CVE-2026-32255

CVE-2026-32255 - Vulnerability Analysis

HighCVSS: 8.6

Last Updated: March 19, 2026

Kan - Server Side Request Forgery

Published: March 19, 2026Updated: March 19, 2026PoC AvailableRemote Exploitable

Overview

Kan <= 0.5.4 contains a server-side request forgery caused by lack of authentication and URL validation in /api/download/attatchment endpoint, letting unauthenticated attackers make arbitrary HTTP requests from the server, exploit requires no authentication.

Severity & Score

Severity: High

CVSS Score: 8.6

EPSS Score: 10.3%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can make arbitrary HTTP requests from the server, potentially accessing internal or cloud metadata services.

Mitigation

Upgrade to version 0.5.5 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 19, 2026

🟠 CVE-2026-32255 - High (8.6) Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32255/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

https://github.com/kOaDT/poc-cve-2026-32255

Related Resources

Details

CVE ID: CVE-2026-32255
Severity: High
CVSS Score: 8.6
Type: server_side_request_forgery
Status: confirmed
EPSS: 10.3%
Social Posts: 1

CWE

CWE-918

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

EPSS Score

10.3%Probability of exploitation in the next 30 days