CVE-2026-1896
Improper Access Control in WeKan Migration Operation Handler
Publication date: 2026-02-05
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1896 is an improper access control vulnerability in WeKan versions up to 8.20, specifically in the ComprehensiveBoardMigration function of the Migration Operation Handler component. The vulnerability arises from the manipulation of the boardId argument, which leads to insufficient authorization checks allowing unauthorized users to execute migration steps that should be restricted.
The issue involves migration-related operations accepting parameters that expanded their operational scope improperly and lacking explicit authorization checks. The fix removed the boardId parameter from certain migration methods and introduced strict authorization checks requiring users to be board administrators or instance administrators to perform migrations.
This vulnerability can be exploited remotely and allows unauthorized access to sensitive migration functions, potentially exposing or manipulating sensitive URL data.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to bypass access controls and execute migration operations that should be restricted to administrators.
Such unauthorized access can lead to exposure or manipulation of sensitive data, including URLs containing authentication tokens, which compromises confidentiality, integrity, and availability of the system.
Because the attack can be carried out remotely, it increases the risk of exploitation without physical access to the system.
Upgrading to WeKan version 8.21 or later mitigates this risk by enforcing strict authorization checks and removing unsafe parameters.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your Wekan installation is running a version up to 8.20 that includes the vulnerable ComprehensiveBoardMigration function with improper access controls.
You can check the Wekan version installed on your system by running commands such as:
- For Docker-based deployments: docker exec <container_name> wekan --version
- For direct installations: wekan --version or checking the version in the application UI or package metadata.
Additionally, monitoring logs for unauthorized or unexpected migration operations involving the ComprehensiveBoardMigration function or suspicious usage of the boardId parameter may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade Wekan to version 8.21 or later, as this version includes the patch that fixes the vulnerability by enforcing strict authorization checks and removing insecure parameters.
If upgrading immediately is not possible, restrict access to the migration operation handler and ensure that only trusted administrators have permissions to execute migration-related functions.
Review and monitor user roles to confirm that only board administrators or instance administrators can perform migration operations.
Apply network-level controls to limit remote access to the Wekan server, reducing the risk of remote exploitation.