CVE-2026-2205 - Vulnerability Details

- WeKan Meteor Publication cards.js CardPubSubBleed information disclosure

Description

A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised.

Published: 2026-02-08

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in WeKan versions up to 8.20 in the Meteor Publication Handler file server/publications/cards.js. By manipulating the publication request, an attacker can retrieve internal card data that should not be publicly exposed, resulting in the disclosure of potentially sensitive information. The description indicates that the attack can be performed remotely.

Affected Systems

The affected vendor is WeKan, project name WeKan. All releases up to version 8.20 are vulnerable. Upgrading to version 8.21, which contains commit 0f5a9c38778ca550cbab6c5093470e1e90cb837f, eliminates the issue.

Risk and Exploitability

The CVSS score of 5.3 classifies the weakness as moderate. The EPSS score of less than 1 percent reflects a very low exploitation probability as of the last assessment, and the issue is not listed in the CISA KEV catalog. Exploitation requires remotely manipulating the Meteor publication endpoint that serves card data; no local privilege escalation or credential compromise is mentioned. Therefore, the primary risk is the exposure of data rather than denial of service or code execution.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

WeKan

affected

Version	Status	Constraints
`8.0`	affected	—
`8.1`	affected	—
`8.2`	affected	—
`8.3`	affected	—
`8.4`	affected	—
`8.5`	affected	—
`8.6`	affected	—
`8.7`	affected	—
`8.8`	affected	—
`8.9`	affected	—
`8.10`	affected	—
`8.11`	affected	—
`8.12`	affected	—
`8.13`	affected	—
`8.14`	affected	—
`8.15`	affected	—
`8.16`	affected	—
`8.17`	affected	—
`8.18`	affected	—
`8.19`	affected	—
`8.20`	affected	—
`8.21`	unaffected	—

Configuration 1 [-]

cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Wekan Project	Wekan	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade WeKan to version 8.21 or later to apply the security fix.
If an upgrade is not immediately feasible, block external access to the Meteor card publication route using network or application-level controls, ensuring only authorized users can reach it.
When possible, review and tighten the authorization checks on card publications to prevent sensitive information from being served to unauthenticated or unauthorized clients.

Generated by OpenCVE AI on April 17, 2026 at 22:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/wekan/wekan/
https://github.com/wekan/wekan/commit/0f5a9c38778ca550cbab6c5093470e1e90cb837f
https://github.com/wekan/wekan/releases/tag/v8.21
https://vuldb.com/?ctiid.344919
https://vuldb.com/?id.344919
https://vuldb.com/?submit.752161

History

Wed, 11 Feb 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wekan_project:wekan::::::::

Tue, 10 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wekan Project Wekan Project wekan
Vendors & Products		Wekan Project Wekan Project wekan

Sun, 08 Feb 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised.
Title		WeKan Meteor Publication cards.js CardPubSubBleed information disclosure
Weaknesses		CWE-200 CWE-284
References		https://github.com/wekan/wekan/ https://github.com/wekan/wekan/commit/0f5a9c38778ca550cbab6c5093470e1e90cb837f https://github.com/wekan/wekan/releases/tag/v8.21 https://vuldb.com/?ctiid.344919 https://vuldb.com/?id.344919 https://vuldb.com/?submit.752161
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Wekan Project Wekan

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-08T01:09:32.732Z

Updated: 2026-02-23T09:53:55.977Z

Reserved: 2026-02-08T01:06:02.995Z

Link: CVE-2026-2205

Vulnrichment

Updated: 2026-02-10T19:37:39.598Z

NVD

Status : Analyzed

Published: 2026-02-08T02:15:57.047

Modified: 2026-02-11T18:58:58.000

Link: CVE-2026-2205

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object