Description
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.
Published: 2026-03-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Information disclosure
Action: Immediate patch
AI Analysis

Impact

The vulnerability lies in Wekan's globalwebhooks publication, which fails to enforce authentication on the server side. As a result, any DDP client, even if unauthenticated, can subscribe to this publication and obtain all global webhook URLs and associated tokens. This permits an attacker to exfiltrate sensitive configuration data and potentially misuse the webhooks to access external services. The defect corresponds to CWE-200 (Information Exposure) and CWE-306 (Missing Authentication).

Affected Systems

Wekan installations running versions 8.31.0 through 8.33 are affected. The issue is present in all builds of those releases regardless of deployment configuration, and is resolved in version 8.34 and newer.

Risk and Exploitability

The CVSS score is 8.7, categorizing the vulnerability as High severity, but the EPSS score is less than 1%, indicating a low probability of exploitation under current conditions. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit it by sending a DDP subscription to the globalwebhooks publication from any network location with access to the Wekan server, including unauthenticated clients. This exposes sensitive data and gives the attacker the ability to use or interfere with external services linked through the webhooks.

Generated by OpenCVE AI on April 16, 2026 at 11:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wekan to version 8.34 or later, which removes the authentication oversight in the globalwebhooks publication.
  • If an immediate upgrade is not possible, restrict network access to the Wekan DDP API so that only trusted clients can reach the server, thereby preventing unauthenticated subscriptions.
  • As a temporary measure, disable or remove the globalwebhooks publication from the server until a patch is applied.

Generated by OpenCVE AI on April 16, 2026 at 11:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Vendors & Products Wekan Project
Wekan Project wekan
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wekan
Wekan wekan
Vendors & Products Wekan
Wekan wekan

Fri, 06 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.
Title Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication
Weaknesses CWE-200
CWE-306
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:N'}

Subscriptions

Wekan Wekan
Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:19.977Z

Reserved: 2026-03-05T21:27:35.341Z

Link: CVE-2026-30846

cve-icon Vulnrichment

Updated: 2026-03-09T20:26:58.301Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T20:16:17.357

Modified: 2026-03-11T14:24:30.953

Link: CVE-2026-30846

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses