Description
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber. Since board publications are accessible to all board members regardless of their role (including read-only and comment-only users), and even to unauthenticated DDP clients for public boards, any user who can access a board can retrieve its webhook credentials. This token leak allows attackers to make unauthenticated requests to the exposed webhooks, potentially triggering unauthorized actions in connected external services. This issue has been fixed in version 8.34.
Published: 2026-03-06
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive data exposure through missing field filtering
Action: Immediate Patch
AI Analysis

Impact

Wekan’s board composite publication exposed all integration data, including webhook URLs and authentication tokens, to any subscriber. The vulnerability, identified as a lack of field filtering, allowed users with board access – even those with read‑only or comment‑only roles – to retrieve sensitive configuration data. This data leak enables attackers to perform unauthenticated requests to exposed webhooks, potentially causing unauthorized actions in external services and representing a clear confidentiality breach consistent with CWE‑200 and CWE‑862.

Affected Systems

The affected product is Wekan, specifically versions 8.31.0 through 8.33. All boards in these releases, regardless of visibility, were susceptible; public boards exposed the bug to unauthenticated DDP clients, while any board member could exploit the flaw. The issue was addressed in release 8.34.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability, and the EPSS of <1% suggests a low exploitation probability in general. The bug is not listed in the CISA KEV catalog. Exploitation requires the ability to subscribe to a board’s publication, which can be achieved by any board member or an unauthenticated DDP client on a public board. The attack vector is thus network‑based, relying on ordinary board access privileges.

Generated by OpenCVE AI on April 16, 2026 at 11:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wekan to version 8.34 or later, where sensitive fields are filtered from board publications.
  • Review and tighten board permissions so that only authorized users can subscribe to board publications; consider restricting read‑only or comment‑only members if unnecessary.
  • Disable or restrict unauthenticated DDP access for public boards, ensuring that only authenticated clients can view board data, thereby preventing accidental exposure of integration data.

Generated by OpenCVE AI on April 16, 2026 at 11:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Vendors & Products Wekan Project
Wekan Project wekan
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wekan
Wekan wekan
Vendors & Products Wekan
Wekan wekan

Fri, 06 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber. Since board publications are accessible to all board members regardless of their role (including read-only and comment-only users), and even to unauthenticated DDP clients for public boards, any user who can access a board can retrieve its webhook credentials. This token leak allows attackers to make unauthenticated requests to the exposed webhooks, potentially triggering unauthorized actions in connected external services. This issue has been fixed in version 8.34.
Title Wekan Exposes Sensitive Data through Lack of Field Filtering During Board Publication
Weaknesses CWE-200
CWE-862
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Wekan Wekan
Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:20.159Z

Reserved: 2026-03-05T21:27:35.341Z

Link: CVE-2026-30845

cve-icon Vulnrichment

Updated: 2026-03-09T20:27:00.849Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T20:16:17.190

Modified: 2026-03-11T14:36:50.037

Link: CVE-2026-30845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses