CVE-2026-1896
Unknown Unknown - Not Provided
Improper Access Control in WeKan Migration Operation Handler

Publication date: 2026-02-05

Last updated on: 2026-02-10

Assigner: VulDB

Description
A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1896
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wekan_project wekan to 8.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1896 is an improper access control vulnerability in WeKan versions up to 8.20, specifically in the ComprehensiveBoardMigration function of the Migration Operation Handler component. The vulnerability arises from the manipulation of the boardId argument, which leads to insufficient authorization checks allowing unauthorized users to execute migration steps that should be restricted.

The issue involves migration-related operations accepting parameters that expanded their operational scope improperly and lacking explicit authorization checks. The fix removed the boardId parameter from certain migration methods and introduced strict authorization checks requiring users to be board administrators or instance administrators to perform migrations.

This vulnerability can be exploited remotely and allows unauthorized access to sensitive migration functions, potentially exposing or manipulating sensitive URL data.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to bypass access controls and execute migration operations that should be restricted to administrators.

Such unauthorized access can lead to exposure or manipulation of sensitive data, including URLs containing authentication tokens, which compromises confidentiality, integrity, and availability of the system.

Because the attack can be carried out remotely, it increases the risk of exploitation without physical access to the system.

Upgrading to WeKan version 8.21 or later mitigates this risk by enforcing strict authorization checks and removing unsafe parameters.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves identifying if your Wekan installation is running a version up to 8.20 that includes the vulnerable ComprehensiveBoardMigration function with improper access controls.

You can check the Wekan version installed on your system by running commands such as:

  • For Docker-based deployments: docker exec <container_name> wekan --version
  • For direct installations: wekan --version or checking the version in the application UI or package metadata.

Additionally, monitoring logs for unauthorized or unexpected migration operations involving the ComprehensiveBoardMigration function or suspicious usage of the boardId parameter may help detect exploitation attempts.

Mitigation Strategies

The primary and immediate mitigation step is to upgrade Wekan to version 8.21 or later, as this version includes the patch that fixes the vulnerability by enforcing strict authorization checks and removing insecure parameters.

If upgrading immediately is not possible, restrict access to the migration operation handler and ensure that only trusted administrators have permissions to execute migration-related functions.

Review and monitor user roles to confirm that only board administrators or instance administrators can perform migration operations.

Apply network-level controls to limit remote access to the Wekan server, reducing the risk of remote exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart