Description
A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded.
Published: 2026-02-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Missing Authorization
Action: Apply Patch
AI Analysis

Impact

A missing authorization check in the WeKan Rules Handler component allows remote attackers to manipulate the /publications/rules endpoint without authentication. The vulnerability does not disclose arbitrary code execution; it simply permits unauthorized interaction with the rules data, potentially affecting the integrity and behavior of the application.

Affected Systems

WeKan Project’s WeKan application versions up to 8.20 are affected, specifically the server/publications/rules.js file. The vendor recommends upgrading to version 8.21 to eliminate the issue.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers can initiate the exploit remotely over HTTP without prior authentication, making the risk moderate but actionable.

Generated by OpenCVE AI on April 18, 2026 at 13:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WeKan v8.21 or apply the official patch a787bcddf33ca28afb13ff5ea9a4cb92dceac005 to replace the vulnerable component.
  • Restart the WeKan service so that the updated code is in effect.
  • Monitor application logs for unauthorized access attempts to the /publications/rules endpoint.

Generated by OpenCVE AI on April 18, 2026 at 13:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

Tue, 10 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Sun, 08 Feb 2026 02:00:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded.
Title WeKan Rules rules.js RulesBleed authorization
Weaknesses CWE-862
CWE-863
References
Metrics cvssV2_0

{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:54:32.411Z

Reserved: 2026-02-08T01:06:11.235Z

Link: CVE-2026-2208

cve-icon Vulnrichment

Updated: 2026-02-10T19:42:29.694Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-08T02:15:57.640

Modified: 2026-02-11T18:58:14.540

Link: CVE-2026-2208

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T13:30:45Z

Weaknesses