Description
A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component.
Published: 2026-02-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Improper Access Control
Action: Patch Now
AI Analysis

Impact

A flaw exists in the file server/attachmentMigration.js component of WeKan, allowing an attacker to bypass normal access controls. The vulnerability is caused by an unknown function that does not enforce proper permission checks before processing attachment migrations. An attacker can therefore access or manipulate attachments intended to be restricted, potentially exposing sensitive data or altering attachment content. The weakness aligns with CWE‑266 (Privilege Escalation) and CWE‑284 (Improper Access Control).

Affected Systems

All installations of the WeKan project up to version 8.20 are affected. The vendor, WeKan, publishes the issue in their releases and provides a patch in version 8.21, identified by commit 053bf1dfb76ef230db162c64a6ed50ebedf67eee. Users running earlier releases should update to 8.21 or apply the specific patch commit.

Risk and Exploitability

The CVSS v3.1 score of 5.3 places the vulnerability in the moderate severity range, and the EPSS score of less than 1% indicates a very low probability of exploitation in the wild. The vulnerability can be triggered remotely, and it is not listed in the CISA KEV catalog. Given the moderate impact and low exploitation likelihood, the overall risk is considered moderate, but it remains important to remediate promptly to eliminate the potential for unauthorized data access.

Generated by OpenCVE AI on April 17, 2026 at 22:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WeKan installation to version 8.21 or apply the patch commit 053bf1dfb76ef230db162c64a6ed50ebedf67eee to fix the issue.
  • If an upgrade cannot be performed immediately, disable or restrict access to the attachment migration feature via configuration so that unauthenticated users cannot invoke it.
  • Continuously monitor system logs for irregular attachment access patterns and respond to any unauthorized access attempts.

Generated by OpenCVE AI on April 17, 2026 at 22:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Thu, 05 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component.
Title WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:18:09.782Z

Reserved: 2026-02-05T10:51:22.769Z

Link: CVE-2026-1962

cve-icon Vulnrichment

Updated: 2026-02-05T20:57:16.061Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-05T21:15:52.987

Modified: 2026-02-12T17:29:38.423

Link: CVE-2026-1962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:00:12Z

Weaknesses