Skip to main content

Wekan CVE-2026-52890

HIGH
Path Traversal (CWE-22)
2026-07-15 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
vuln.today AI
7.1 HIGH

Network-reachable DDP method (AV:N/AC:L) needs a logged-in write-capable board member (PR:L); arbitrary file read gives C:H, /dev/zero DoS gives A:L, no integrity impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 22:00 vuln.today
Analysis Generated
Jul 15, 2026 - 22:00 vuln.today
CVE Published
Jul 15, 2026 - 21:07 cve.org
HIGH 7.1

DescriptionCVE.org

Wekan is open source kanban built with Meteor. Prior to 9.31, Wekan allows a logged-in board member to insert an attachment document through the /attachments/insert DDP method with attacker-controlled versions.original.path and versions.original.storage fields. The server/permissions/attachments.js insert rule checks only board write access, and FileStoreStrategyFilesystem.getReadStream() in models/lib/fileStoreStrategy.js streams the stored path without a storage-root containment check, allowing arbitrary file reads and denial of service through special files such as /dev/zero. This issue is fixed in version 9.31.

AnalysisAI

Arbitrary file read and denial of service in Wekan (open-source Meteor kanban board) before version 9.31 allows an authenticated board member to read any file the server process can access by supplying attacker-controlled versions.original.path and versions.original.storage values to the /attachments/insert DDP method. Because the server-side insert permission rule only validates board write access and the filesystem store never confirms the path stays within the storage root, a low-privileged user can exfiltrate sensitive host files or hang the process by pointing at special files like /dev/zero. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as board member with write access
Delivery
Call /attachments/insert DDP method
Exploit
Set versions.original.path to target file and storage to filesystem
Execution
Bypass missing storage-root containment check
Persist
Retrieve attachment to read arbitrary file or stream /dev/zero
Impact
Exfiltrate sensitive data or cause denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated Wekan account that is a member of at least one board with write access, and requires the server to be using the filesystem attachment storage strategy that FileStoreStrategyFilesystem.getReadStream() serves. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L, base 7.1) aligns well with the described mechanics: network-reachable DDP endpoint, low attack complexity, and low privileges (any logged-in board member with write access), yielding high confidentiality impact (arbitrary file read) plus low availability impact (DoS via /dev/zero) and no integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or is granted) ordinary write-level membership on any Wekan board calls the /attachments/insert DDP method with versions.original.storage set to the filesystem strategy and versions.original.path pointing at a sensitive host file such as /etc/passwd or an application config file, then downloads the attachment to exfiltrate its contents. The same technique aimed at /dev/zero causes the server to stream endlessly, producing a denial-of-service condition. …
Remediation Upgrade to the fixed release, Vendor-released patch: v9.31 (https://github.com/wekan/wekan/releases/tag/v9.31), which is applied by commit fc92b342ceedcf38dbd614a0f7b50d6dc2b22eb8 and documented in advisory GHSA-g6vm-7757-pr88. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Wekan deployments running versions before 9.31 and assess risk based on board member types and data sensitivity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

Share

CVE-2026-52890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy