Description
WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.
Published: 2026-02-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of attachment metadata
Action: Apply Patch
AI Analysis

Impact

The vulnerability in WeKan versions earlier than 8.19 allows the retrieval of attachment metadata without enforcing scoping rules based on the board or card permissions of the requesting user. This flaw can expose details such as file names, paths, upload times, or other sensitive metadata to users who should not have visibility, leading to unintended data leakage.

Affected Systems

All installations of the WeKan project running a version below 8.19 are affected. The issue was present in every build prior to 8.19 and has been addressed in release 8.19 and later. No specific patch-level subdivision is detailed beyond the version boundary.

Risk and Exploitability

The CVSS base score of 5.3 classifies this as a medium impact. The EPSS score is under 1%, indicating a very low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog, and the attack vector is inferred to be remote via the web interface or API, assuming an authenticated user can target the attachments endpoint. Exploitation would likely require the attacker to have a user account with some level of access to the application, but the flaw permits leaking metadata for objects outside their authorized scope.

Generated by OpenCVE AI on April 16, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WeKan 8.19 or later, where the attachment publication endpoint correctly scopes results.
  • If an upgrade is delayed, configure the server to restrict access to the attachments publication endpoint to only users with appropriate roles, or disable the endpoint entirely.
  • In the interim, audit access logs for unusual metadata requests and consider disabling attachment uploads on public boards.

Generated by OpenCVE AI on April 16, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Sat, 07 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.
Title WeKan < 8.19 Attachments Publication Information Disclosure
Weaknesses CWE-203
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:47.450Z

Reserved: 2026-02-02T20:12:33.396Z

Link: CVE-2026-25562

cve-icon Vulnrichment

Updated: 2026-02-10T16:22:56.567Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:01.627

Modified: 2026-02-10T22:01:03.293

Link: CVE-2026-25562

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses