Description
WeKan before 8.35 contains a server-side request forgery vulnerability in webhook integration URL handling where the URL scheme field accepts any string without protocol restriction or destination validation. Attackers who can create or modify integrations can set webhook URLs to internal network addresses, causing the server to issue HTTP POST requests to attacker-controlled internal targets with full board event payloads, and can additionally exploit response handling to overwrite arbitrary comment text without authorization checks.
References (3)
Core 3
Core References
Release Notes release-notes
https://github.com/wekan/wekan/releases/tag/v8.35
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/wekan-ssrf-via-webhook-url
Scores
CVSS v3
8.5
EPSS
0.0024
EPSS Percentile
14.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (2)
wekan/wekan
< 8.35.0
wekan/wekan
2cd702f48df2b8aef0e7381685f8e089986a18a4
Published
Apr 22, 2026
Tracked Since
Apr 23, 2026