Unauthenticated Access Risk in Wekan Kanban Tool
CVE-2026-30846

8.7HIGH

Key Information:

Vendor

Wekan

Status
Wekan
Vendor
CVE Published:
6 March 2026

What is CVE-2026-30846?

Wekan is an open-source kanban tool that suffers from an access control vulnerability. Versions 8.31.0 through 8.33 allow unauthenticated users to access sensitive global webhook information, including URLs and tokens. This occurs due to a lack of server-side authentication checks in the globalwebhooks publication. Any DDP client can subscribe to this data, leading to potential unauthorized access to webhooks and associated external services. Users are advised to upgrade to version 8.34, which rectifies this issue.

Affected Version(s)

Wekan >= 8.31.0, < 8.34

References

https://securitylab.github.com/advisories/GHSL-2026-037_W...
x_refsource_CONFIRM
https://github.com/wekan/wekan/commit/1ee9b2e917104f54c03...
x_refsource_MISC
https://github.com/wekan/wekan/releases/tag/v8.34
x_refsource_MISC

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.