CVE-2026-32255 is a Server-Side Request Forgery (SSRF) vulnerability identified in the kan project management tool, specifically in versions 0.5.4 and below. The vulnerability resides in the /api/download/attatchment endpoint, which accepts a user-supplied URL query parameter without any authentication or validation. The server uses the fetch() function to retrieve the content from the provided URL and returns the full response body to the requester. Because the endpoint is unauthenticated and does not validate URLs, an attacker can craft requests that cause the server to make HTTP requests to internal network resources, cloud provider metadata services (such as AWS, Azure, or GCP metadata endpoints), or other private services inaccessible externally. This can lead to unauthorized information disclosure, including sensitive internal data or credentials. The vulnerability has a CVSS 3.1 base score of 8.6, reflecting its high impact on confidentiality and the ease of exploitation without any privileges or user interaction. The scope is considered changed (S:C) because the attacker can leverage the server's trust and network position to access otherwise protected resources. The issue was fixed in version 0.5.5 by presumably adding authentication and/or URL validation. Until upgrading, it is advised to block or restrict access to the vulnerable endpoint at the reverse proxy level (e.g., nginx, Cloudflare) to prevent exploitation. No public exploits have been reported yet, but the vulnerability poses a significant risk due to its nature and ease of exploitation.

The primary impact of this SSRF vulnerability is unauthorized access to internal network resources and cloud metadata services, which can lead to significant information disclosure. Attackers can retrieve sensitive data such as internal API endpoints, configuration files, or cloud instance credentials, potentially enabling further attacks like privilege escalation or lateral movement within the victim's environment. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely by any attacker with network access to the kan server. Organizations using affected versions of kan may face data breaches, exposure of confidential project management information, and compromise of cloud infrastructure credentials. The scope of impact is broad because many organizations use project management tools like kanbn, and the vulnerability affects all deployments running versions below 0.5.5. Additionally, the ability to access cloud metadata endpoints can lead to full cloud account compromise. The absence of known exploits in the wild currently reduces immediate risk but does not diminish the urgency of remediation given the vulnerability's severity and ease of exploitation.

1. Upgrade kan to version 0.5.5 or later immediately, as this version contains the fix for the SSRF vulnerability. 2. Until the upgrade can be performed, implement strict access controls at the reverse proxy or firewall level to block or restrict access to the /api/download/attatchment endpoint. This can be done by IP whitelisting, authentication enforcement, or complete blocking if the endpoint is not required. 3. Employ network segmentation to limit the kan server's ability to reach sensitive internal services and cloud metadata endpoints, reducing the potential impact of SSRF exploitation. 4. Monitor server logs for unusual outbound requests originating from the kan server, especially to internal IP ranges or cloud metadata URLs, to detect potential exploitation attempts. 5. Review and harden cloud instance metadata service access policies, such as enabling metadata service version 2 (IMDSv2) on AWS, to mitigate SSRF risks. 6. Conduct a security audit of other endpoints in kan for similar SSRF or injection vulnerabilities. 7. Educate development teams on secure coding practices, including input validation and authentication enforcement on sensitive endpoints.