anonhaven
Ad

CVE-2026-30845

MEDIUM CVSS 4.0: 6.9 EPSS 0.08%
Updated Mar 06, 2026
Wekan
Parameter Value
CVSS 6.9 (MEDIUM)
Affected Versions 8.31.0 — 8.33
Fixed In 8.34
Type CWE-200 (Information Exposure), CWE-862 (Missing Authorization)
Vendor Wekan
Public PoC No

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber. Since board publications are accessible to all board members regardless of their role (including read-only and comment-only users), and even to unauthenticated DDP clients for public boards, any user who can access a board can retrieve its webhook credentials.

This token leak allows attackers to make unauthenticated requests to the exposed webhooks, potentially triggering unauthorized actions in connected external services. This issue has been fixed in version 8.34.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Attack Requirements
None
No additional conditions
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
Low
Partial data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-200 Information Exposure
CWE-862 Missing Authorization

References 3

https://github.com/wekan/wekan/commit/8c00adc6b865653bd717a946dd646eb54ac78c9c
security-advisories@github.com
https://github.com/wekan/wekan/releases/tag/v8.34
security-advisories@github.com
https://securitylab.github.com/advisories/GHSL-2026-036_Wekan/
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-30847

Wekan

9.3

CVE-2026-30846

Wekan

8.7

CVE-2026-30844

Wekan

9.3

CVE-2026-30843

Wekan

9.3

CVE-2026-25859

Wekan

7.1