Data Exposure in Wekan Kanban Tool Affecting Multiple Versions
CVE-2026-30847

9.3CRITICAL

Key Information:

Vendor

Wekan

Status
Wekan
Vendor
CVE Published:
6 March 2026

What is CVE-2026-30847?

Wekan, an open-source kanban tool, has a vulnerability where the notificationUsers publication fails to filter user document fields correctly. In Wekan versions 8.31.0 through 8.33, this flaw results in sensitive user information, including bcrypt password hashes, active session tokens, and email verification tokens, being made public to all authenticated users. As the default security measures of Meteor are bypassed, users can exploit this vulnerability to obtain critical credentials and hijack active sessions, leading to potential account takeovers. The issue has been rectified in version 8.34.

Affected Version(s)

Wekan >= 8.31.0, < 8.34

References

https://securitylab.github.com/advisories/GHSL-2026-035_W...
x_refsource_CONFIRM
https://github.com/wekan/wekan/commit/1c8667eae8b28739e43...
x_refsource_MISC
https://github.com/wekan/wekan/releases/tag/v8.34
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.