Description
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and any stored OAuth tokens. Unlike Meteor's default auto-publication which strips the services field for security, custom publications return whatever fields the cursor contains, meaning all subscribers receive the complete user documents. Any authenticated user who triggers this publication can harvest credentials and active session tokens for other users, enabling password cracking, session hijacking, and full account takeover. This issue has been fixed in version 8.34.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Compromise of Credentials
Action: Immediate Patch
AI Analysis

Impact

Wekan versions 8.31.0 through 8.33 expose all user fields through the notificationUsers publication. Because no filtering is applied, subscribers receive sensitive data such as bcrypt password hashes, session tokens, email verification tokens, full email addresses, and OAuth tokens. The weakness corresponds to information disclosure (CWE‑200) and improper authorization (CWE‑285). An attacker can harvest this data and use it for password cracking, session hijacking, and full account takeover, jeopardizing confidentiality and integrity of all affected accounts.

Affected Systems

The vulnerability affects the open‑source kanban tool Wekan, specifically versions 8.31.0 to 8.33. The issue is present in all installations running those releases and is resolved in version 8.34 or later.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the EPSS score of less than 1% suggests low current exploit probability. The vulnerability is not listed in CISA’s KEV catalog. The attack requires an authenticated user to trigger the notificationUsers publication; any such user can harvest credentials of all other users. The lack of field filtering in the publication allows the entire user document to be exposed, making remediation urgent.

Generated by OpenCVE AI on April 16, 2026 at 11:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wekan to version 8.34 or later to apply the publisher filter fix
  • Revise or disable the custom notificationUsers publication to restrict exposed fields
  • Force affected users to re‑authenticate or reset passwords to invalidate stolen session tokens

Generated by OpenCVE AI on April 16, 2026 at 11:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Vendors & Products Wekan Project
Wekan Project wekan
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wekan
Wekan wekan
Vendors & Products Wekan
Wekan wekan

Fri, 06 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and any stored OAuth tokens. Unlike Meteor's default auto-publication which strips the services field for security, custom publications return whatever fields the cursor contains, meaning all subscribers receive the complete user documents. Any authenticated user who triggers this publication can harvest credentials and active session tokens for other users, enabling password cracking, session hijacking, and full account takeover. This issue has been fixed in version 8.34.
Title Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens
Weaknesses CWE-200
CWE-285
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:H'}

Subscriptions

Wekan Wekan
Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:19.842Z

Reserved: 2026-03-05T21:27:35.341Z

Link: CVE-2026-30847

cve-icon Vulnrichment

Updated: 2026-03-09T20:26:55.584Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T20:16:17.530

Modified: 2026-03-11T14:22:57.470

Link: CVE-2026-30847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T11:15:27Z

Weaknesses