Description
A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised.
Published: 2026-02-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Improper Access Control during Board Migration
Action: Apply Patch
AI Analysis

Impact

The ComprehensiveBoardMigration function in WeKan’s migration module accepts a boardId parameter without enforcing proper authorization checks. By manipulating boardId remotely, an attacker can trigger migration of any board, potentially exposing data or escalating privileges. This flaw is an improper access control weakness that can be abused from outside the application without needing local access. The vulnerability is a CWE-284 access control failure, and a CVSS score of 5.3 indicates a medium severity impact on confidentiality and integrity.

Affected Systems

All WeKan installations running version 8.20 or earlier are affected. The issue resides in the server/migrations/comprehensiveBoardMigration.js file within the Migration Operation Handler. The fix is included in WeKan release 8.21, corresponding to patch commit cc35dafef57ef6e44a514a523f9a8d891e74ad8f.

Risk and Exploitability

The CVSS score of 5.3 places this flaw in the medium severity range, while the EPSS score of less than 1% suggests a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the flaw remotely by sending crafted migration requests with a manipulated boardId, provided the target allows external access to the migration endpoint. Proper authentication or authorization is insufficient to prevent abuse, so the attack path is straightforward for any host with internet exposure and a vulnerable WeKan instance.

Generated by OpenCVE AI on April 17, 2026 at 23:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeKan to version 8.21 or later to incorporate the fixed migration logic.
  • If an immediate upgrade is not possible, apply the patch corresponding to commit cc35dafef57ef6e44a514a523f9a8d891e74ad8f.
  • Limit access to the migration endpoint so that only administrators can invoke board migrations, thereby reducing the opportunity for an attacker to manipulate boardId.

Generated by OpenCVE AI on April 17, 2026 at 23:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

Thu, 05 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Wed, 04 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised.
Title WeKan Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration MigrationBleed access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:17:30.908Z

Reserved: 2026-02-04T14:46:24.518Z

Link: CVE-2026-1896

cve-icon Vulnrichment

Updated: 2026-02-05T15:56:09.056Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-05T00:15:53.760

Modified: 2026-02-10T17:45:59.510

Link: CVE-2026-1896

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses