CVE-2026-2207 - Vulnerability Details

- WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure

Description

A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely. Upgrading to version 8.21 is capable of addressing this issue. This patch is called 91a936e07d2976d4246dfe834281c3aaa87f9503. You should upgrade the affected component.

Published: 2026-02-08

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A weakness exists in the Activity Publication Handler of WeKan up to version 8.20, specifically in the file server/publications/activities.js. The flaw allows an attacker to manipulate the processing of the file, resulting in an unauthorized disclosure of sensitive information. It is possible for the attacker to launch this exploit remotely, meaning that the vulnerability is publicly exploitable without local user interaction.

Affected Systems

WeKan Project software versions up to and including 8.20 are affected. All installations that have not yet migrated to version 8.21 contain the vulnerable component and therefore are at risk.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity vulnerability, and the EPSS score of less than 1% implies a low but non-zero probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the attack can be performed remotely and does not require additional user interaction, the overall risk to organizations using vulnerable WeKan installations remains significant, especially if sensitive data is exposed through the publication feature.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

WeKan

affected

Version	Status	Constraints
`8.0`	affected	—
`8.1`	affected	—
`8.2`	affected	—
`8.3`	affected	—
`8.4`	affected	—
`8.5`	affected	—
`8.6`	affected	—
`8.7`	affected	—
`8.8`	affected	—
`8.9`	affected	—
`8.10`	affected	—
`8.11`	affected	—
`8.12`	affected	—
`8.13`	affected	—
`8.14`	affected	—
`8.15`	affected	—
`8.16`	affected	—
`8.17`	affected	—
`8.18`	affected	—
`8.19`	affected	—
`8.20`	affected	—
`8.21`	unaffected	—

Configuration 1 [-]

cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Wekan Project	Wekan	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply WeKan version 8.21 or later to replace the vulnerable Activity Publication Handler.
If an upgrade is not immediately possible, restrict remote access to the /publications directory or the activities.js file using web‑server access controls so that only authenticated users with proper authorization can reach it.
Implement monitoring for anomalous access attempts to the Activities endpoint to detect potential exploitation attempts early.

Generated by OpenCVE AI on April 17, 2026 at 22:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00054.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/wekan/wekan/
https://github.com/wekan/wekan/commit/91a936e07d2976d4246dfe834281c3aaa87f9503
https://github.com/wekan/wekan/releases/tag/v8.21
https://vuldb.com/?ctiid.344921
https://vuldb.com/?id.344921
https://vuldb.com/?submit.752163

History

Wed, 11 Feb 2026 19:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:wekan_project:wekan::::::::

Tue, 10 Feb 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 09 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wekan Project Wekan Project wekan
Vendors & Products		Wekan Project Wekan Project wekan

Sun, 08 Feb 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely. Upgrading to version 8.21 is capable of addressing this issue. This patch is called 91a936e07d2976d4246dfe834281c3aaa87f9503. You should upgrade the affected component.
Title		WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure
Weaknesses		CWE-200 CWE-284
References		https://github.com/wekan/wekan/ https://github.com/wekan/wekan/commit/91a936e07d2976d4246dfe834281c3aaa87f9503 https://github.com/wekan/wekan/releases/tag/v8.21 https://vuldb.com/?ctiid.344921 https://vuldb.com/?id.344921 https://vuldb.com/?submit.752163
Metrics		cvssV2_0 `{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}` cvssV3_0 `{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}` cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}`

Subscriptions

Wekan Project Wekan

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-08T01:09:38.774Z

Updated: 2026-02-23T09:54:19.684Z

Reserved: 2026-02-08T01:06:08.704Z

Link: CVE-2026-2207

Vulnrichment

Updated: 2026-02-10T19:40:58.110Z

NVD

Status : Analyzed

Published: 2026-02-08T02:15:57.447

Modified: 2026-02-11T18:58:37.977

Link: CVE-2026-2207

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object