Description
A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version 8.21 is able to address this issue. This patch is called 8c0b4f79d8582932528ec2fdf2a4487c86770fb9. It is recommended to upgrade the affected component.
Published: 2026-02-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Access Control
Action: Patch
AI Analysis

Impact

The flaw lies in the applyWipLimit function of WeKan’s Attachment Storage Handler. Manipulating requests that invoke this function allows an attacker to bypass the intended access restrictions on list attachments, exposing sensitive files to unauthorized users. The weakness is a classic example of improper access control, corresponding to CWE‑266 and CWE‑284, and causes potential confidentiality and integrity violations without providing code execution. The problem is limited to data exposure and does not affect system availability.

Affected Systems

WeKan installations up to version 8.20 are affected. All deployments that include the open‑source project WeKan are vulnerable until the fix in release 8.21, which incorporates commit 8c0b4f79d8582932528ec2fdf2a4487c86770fb9, is applied.

Risk and Exploitability

The CVSS score of 5.3 labels the vulnerability as moderate severity, while the EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. According to the description, the attack can be executed remotely with crafted requests to the web service; no local privileges are required to reach the flaw. The attacker can trigger the improper access control by targeting the applyWipLimit endpoint and gain unauthorized access to attachment data.

Generated by OpenCVE AI on April 18, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WeKan installation to version 8.21 or newer to apply the vendor patch that fixes the access‑control bug.
  • After upgrading, review the role‑based permissions for attachment storage to confirm that only authorized users can view or upload attachments for lists marked WIP.
  • Continuously monitor application logs for anomalous attachment access attempts, which may indicate exploitation attempts or misconfiguration.

Generated by OpenCVE AI on April 18, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 09:45:00 +0000

Type Values Removed Values Added
References

Wed, 11 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Wed, 04 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version 8.21 is able to address this issue. This patch is called 8c0b4f79d8582932528ec2fdf2a4487c86770fb9. It is recommended to upgrade the affected component.
Title WeKan Attachment Storage lists.js applyWipLimit ListWIPBleed access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:17:19.148Z

Reserved: 2026-02-04T14:46:21.963Z

Link: CVE-2026-1895

cve-icon Vulnrichment

Updated: 2026-02-05T14:59:31.399Z

cve-icon NVD

Status : Modified

Published: 2026-02-04T23:15:55.860

Modified: 2026-02-23T10:16:23.540

Link: CVE-2026-1895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:45:45Z

Weaknesses