Vulnerability Description
Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts a user-supplied URL query parameter and passes it directly to fetch() server-side, and returns the full response body. An unauthenticated attacker can use this to make HTTP requests from the server to internal services, cloud metadata endpoints, or private network resources. This issue has been fixed in version 0.5.5. To workaround this issue, block or restrict access to /api/download/attatchment at the reverse proxy level (nginx, Cloudflare, etc.).
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Kan | Kan | < 0.5.5 |
Related Weaknesses (CWE)
References
- https://github.com/kanbn/kan/commit/53397d8e81dc1494d94132848c1f0416f1152bd7Patch
- https://github.com/kanbn/kan/releases/tag/v0.5.5ProductRelease Notes
- https://github.com/kanbn/kan/security/advisories/GHSA-qrx8-9hc6-jvqgMitigationPatchVendor Advisory
FAQ
What is CVE-2026-32255?
CVE-2026-32255 is a vulnerability with a CVSS score of 8.6 (HIGH). Kan is an open-source project management tool. In versions 0.5.4 and below, the /api/download/attatchment endpoint has no authentication and no URL validation. The Attachment Download endpoint accepts...
How severe is CVE-2026-32255?
CVE-2026-32255 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32255?
Check the references section above for vendor advisories and patch information. Affected products include: Kan Kan.