Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Hall of Fame Contents Back to Wekan Website

Contents / WebhookBleed

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
CVE-2026-53446 GHSA-hc3x-hq3m-663q, CVE-2026-53445 GHSA-7w2h-g83c-jqrp

WebhookBleed

2026-05-31 Claude

Found and fixed by code review.
  • 1. SSRF via webhook URLs (input-side validation)
  • 2. copyBoard authorization bypass
  • 3. Avatar scanner regression
  • Affected Wekan v9.31 and earlier
  • Fixed at Wekan v9.32 2026-05-31


Details

1. SSRF via webhook integration URLs — input-side validation (CVE-2026-53446 GHSA-hc3x-hq3m-663q, CWE-918)

Wekan's outgoing-webhook integrations let a board admin store an arbitrary URL that is later fetched server-side, so a caller-controlled URL pointing at an internal address (cloud metadata at http://169.254.169.254/latest/meta-data/, loopback, RFC 1918 ranges, etc.) could be used to reach internal services or exfiltrate data.

The delivery layer was already fixed in v8.35/v8.36 (the IntegrationBleed fixes) by routing webhook delivery through fetchSafe (server/lib/ssrfGuard.js), which resolves DNS once, pins the connection to the validated IP and blocks redirects. This release adds the missing input-side validation the advisory requested at the REST write paths in server/models/integrations.js: POST /api/boards/:boardId/integrations relied only on the schema regex, and PUT /api/boards/:boardId/integrations/:intId wrote the URL via Integrations.direct.updateAsync, bypassing schema validation entirely. Both endpoints now run the DNS-aware validateAttachmentUrl() before storing the URL, rejecting private/loopback/link-local/reserved targets with HTTP 400.

2. Authorization bypass in copyBoard DDP method (CVE-2026-53445 GHSA-7w2h-g83c-jqrp, CWE-862)

The copyBoard Meteor method in server/publications/boards.js had no authorization check: any logged-in user could copy any board by ID — including private boards — while the equivalent REST endpoint correctly required board admin. The method also copied caller-supplied properties onto the new board, letting an attacker inject members or permission: 'public'. The member-level fix shipped in v9.09 (AuthBleed); this release tightens it to full parity with the REST endpoint by requiring board.hasAdmin(this.userId).

3. Regression from the avatar RCE fix (CVE-2026-52891 GHSA-35j7-h385-2q9g)

The avatar RCE fix renamed asyncExec to asyncExecFile in models/fileValidation.js, but the admin-configured external scanner command line still called the now-undefined asyncExec, throwing a swallowed ReferenceError and making every upload silently fail validation whenever an external scanner was configured. Restored a shell-based asyncExec used only for that admin-configured command line; MIME detection still uses the shell-free asyncExecFile.



Timeline Details
2026-05-31 Found and fixed by code review at Wekan v9.32 2026-05-31


Back to Hall of Fame Contents Back to Wekan Website