Skip to main content

Wekan CVE-2026-1896

MEDIUM
Incorrect Privilege Assignment (CWE-266)
2026-02-05 cna@vuldb.com
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Feb 10, 2026 - 17:45 nvd
Patch available
CVE Published
Feb 05, 2026 - 00:15 nvd
MEDIUM 6.3

DescriptionCVE.org

A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised.

AnalysisAI

Improper access control in Wekan's board migration function allows authenticated remote attackers to manipulate the boardId parameter and gain unauthorized access to sensitive data or modify board information. Wekan versions up to 8.20 are affected, and administrators should upgrade to version 8.21 or later to remediate this vulnerability.

Technical ContextAI

Affects Wekan. A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affe

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

Share

CVE-2026-1896 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy