Skip to main content

Wekan CVE-2026-2206

MEDIUM
Incorrect Privilege Assignment (CWE-266)
2026-02-08 cna@vuldb.com
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Feb 11, 2026 - 18:58 nvd
Patch available
CVE Published
Feb 08, 2026 - 02:15 nvd
MEDIUM 6.3

DescriptionCVE.org

A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component.

AnalysisAI

Improper access controls in WeKan's administrative repair handler (fixDuplicateLists.js) allow authenticated remote attackers to manipulate list data and gain unauthorized access to sensitive information. Affected versions through 8.20 can be remediated by upgrading to version 8.21 or applying the referenced patch.

Technical ContextAI

Affects Wekan. A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component.

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-30846 HIGH
7.5 Mar 06

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication toke

CVE-2026-25859 HIGH
7.1 Feb 07

Broken authorization in Wekan versions prior to 8.20 lets any authenticated non-administrative user invoke board migrati

CVE-2026-25568 HIGH
7.1 Feb 07

Authorization bypass in WeKan (self-hosted kanban board) versions prior to 8.19 lets an authenticated user create public

CVE-2026-25566 HIGH
7.1 Feb 07

Improper authorization in WeKan's card-move API lets an authenticated low-privilege user relocate cards to boards, lists

CVE-2026-25565 HIGH
7.1 Feb 07

Privilege escalation via broken authorization in WeKan (the open-source kanban board) before 8.19 lets users holding rea

Share

CVE-2026-2206 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy