Arbitrary File Read Vulnerability in Wekan Kanban by Wekan
CVE-2026-52890
7.1HIGH
What is CVE-2026-52890?
Prior to version 9.31, Wekan, an open-source kanban application built with Meteor, is susceptible to an arbitrary file read vulnerability. This flaw allows authenticated board members to exploit the /attachments/insert DDP method, where they can manipulate the attacker-controlled fields 'versions.original.path' and 'versions.original.storage'. The permissions check within the server's attachment insert rule only considers board write access, resulting in a lack of adequate validation. Consequently, this enables the unauthorized reading of arbitrary files and potential denial of service attacks via sensitive file access, such as '/dev/zero'. Users are strongly advised to upgrade to version 9.31 or later to mitigate this risk.
Affected Version(s)
wekan < 9.31
