CVE-2026-30846

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6	Patch
https://github.com/wekan/wekan/releases/tag/v8.34	Release Notes
https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-06 20:16

Updated : 2026-03-11 14:24

NVD link : CVE-2026-30846

Mitre link : CVE-2026-30846

CVE.ORG link : CVE-2026-30846

JSON object : View

Products Affected

wekan_project

wekan

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-30846", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-06T20:16:17.357", "references": [{"url": "https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/wekan/wekan/releases/tag/v8.34", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-306"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations\u2014including sensitive url and token fields\u2014without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34."}, {"lang": "es", "value": "Wekan es una herramienta kanban de c\u00f3digo abierto construida con Meteor. En las versiones 8.31.0 a 8.33, la publicaci\u00f3n globalwebhooks expone todas las integraciones de webhook globales \u2014incluyendo campos sensibles de URL y token\u2014 sin realizar ninguna comprobaci\u00f3n de autenticaci\u00f3n en el lado del servidor. Aunque la suscripci\u00f3n se invoca normalmente desde la p\u00e1gina de configuraci\u00f3n de administrador, la publicaci\u00f3n del lado del servidor no tiene control de acceso, lo que significa que cualquier cliente DDP, incluidos los no autenticados, puede suscribirse y recibir los datos. Esto permite a un atacante no autenticado recuperar URLs de webhook globales y tokens de autenticaci\u00f3n, lo que podr\u00eda permitir el uso no autorizado de esos webhooks y el acceso a servicios externos conectados. Este problema ha sido solucionado en la versi\u00f3n 8.34."}], "lastModified": "2026-03-11T14:24:30.953", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82F22D3F-FA6B-485B-94AE-266CD62CC379", "versionEndExcluding": "8.33", "versionStartIncluding": "8.31"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}