CVE-2026-30844

{"id": "CVE-2026-30844", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T20:16:17.030", "references": [{"url": "https://github.com/wekan/wekan/commit/62216e36c15f55d4ef6cb97313db3aa54fc77fe0", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wekan/wekan/releases/tag/v8.34", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2026-045_Wekan/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery (SSRF) via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or filtering, affecting both the Wekan and Trello import flows. The parseActivities() and parseActions() methods extract user-controlled attachment URLs, which are then passed directly to Attachments.load() for download with no sanitization. This Server-Side Request Forgery (SSRF) vulnerability allows any authenticated user to make the server issue arbitrary HTTP requests, potentially accessing internal network services such as cloud instance metadata endpoints (exposing IAM credentials), internal databases, and admin panels that are otherwise unreachable from outside the network. This issue has been fixed in version 8.34."}, {"lang": "es", "value": "Wekan es una herramienta kanban de c\u00f3digo abierto construida con Meteor. Las versiones 8.32 y 8.33 son vulnerables a la falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) a trav\u00e9s de la carga de URL de adjuntos. Durante la importaci\u00f3n de tableros en Wekan, las URL de adjuntos de datos JSON proporcionados por el usuario son obtenidas directamente por el servidor sin ninguna validaci\u00f3n o filtrado de URL, afectando tanto a los flujos de importaci\u00f3n de Wekan como de Trello. Los m\u00e9todos parseActivities() y parseActions() extraen URL de adjuntos controladas por el usuario, las cuales son luego pasadas directamente a Attachments.load() para su descarga sin sanitizaci\u00f3n. Esta vulnerabilidad de falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) permite a cualquier usuario autenticado hacer que el servidor emita peticiones HTTP arbitrarias, potencialmente accediendo a servicios de red internos como puntos finales de metadatos de instancias en la nube (exponiendo credenciales IAM), bases de datos internas y paneles de administraci\u00f3n que de otro modo ser\u00edan inalcanzables desde fuera de la red. Este problema ha sido solucionado en la versi\u00f3n 8.34."}], "lastModified": "2026-03-11T14:56:52.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wekan_project:wekan:8.32:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "49FD24D6-7487-4971-B679-E8CB7EF29A64"}, {"criteria": "cpe:2.3:a:wekan_project:wekan:8.33:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24B3EEBA-2A0C-4A5A-B07A-13219B4E03D8"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}