CVE-2026-32255 is a Server-Side Request Forgery (SSRF) vulnerability classified under CWE-918, found in the kanbn open-source project management tool 'kan' in versions prior to 0.5.5. The vulnerability resides in the /api/download/attatchment endpoint, which accepts a user-supplied URL query parameter without any authentication or validation. The endpoint uses the server-side fetch() function to retrieve the content from the provided URL and returns the full response body to the requester. Because there is no restriction on the URL parameter, an unauthenticated attacker can exploit this to make arbitrary HTTP requests from the server to internal services, such as intranet resources, cloud provider metadata endpoints (e.g., AWS, Azure, GCP), or other private network assets that are otherwise inaccessible externally. This can lead to unauthorized disclosure of sensitive information, including credentials, configuration data, or internal infrastructure details. The vulnerability does not require user interaction or authentication, making it easier to exploit remotely. The issue was publicly disclosed on March 18, 2026, and fixed in version 0.5.5 of the software. Although no known exploits have been reported in the wild, the high CVSS score (8.6) reflects the critical confidentiality impact and ease of exploitation. The recommended immediate mitigation is to block or restrict access to the vulnerable endpoint at the reverse proxy level (e.g., nginx, Cloudflare) until the software is updated. This vulnerability highlights the risks of insufficient input validation and lack of authentication on sensitive API endpoints in web applications.

The primary impact of CVE-2026-32255 is the potential unauthorized disclosure of sensitive internal information due to SSRF exploitation. Attackers can leverage this vulnerability to access internal network resources that are normally protected from external access, including cloud metadata services that may contain credentials or tokens. This can lead to further compromise of cloud infrastructure or internal systems. The confidentiality of internal data is severely impacted, while integrity and availability remain unaffected. Organizations using affected versions of kan are at risk of internal reconnaissance, data leakage, and potential lateral movement within their networks. This can undermine trust in project management tools and expose sensitive project or organizational data. The ease of exploitation without authentication increases the likelihood of attacks, especially in environments where the kan server is accessible from untrusted networks. Although no exploits are currently known in the wild, the vulnerability represents a significant risk if left unpatched or unmitigated.

1. Upgrade the kan software to version 0.5.5 or later immediately, as this version contains the fix for the SSRF vulnerability. 2. Until patching is possible, implement strict access controls at the reverse proxy or firewall level to block or restrict access to the /api/download/attatchment endpoint. This can be done using nginx rules, Cloudflare firewall policies, or equivalent controls. 3. Employ network segmentation to limit the kan server's ability to reach sensitive internal services or cloud metadata endpoints. 4. Monitor server logs for unusual outbound requests originating from the kan server, especially to internal IP ranges or cloud metadata URLs. 5. Conduct security reviews of other API endpoints to ensure proper authentication and input validation are enforced. 6. Educate development teams on secure coding practices to prevent SSRF and similar vulnerabilities, including validating and sanitizing user-supplied URLs and enforcing authentication on sensitive endpoints. 7. Consider implementing web application firewalls (WAFs) with SSRF detection rules as an additional layer of defense.