CVE-2026-1897
Authorization Bypass in WeKan Position-History Tracking Component
Publication date: 2026-02-05
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1897 is an authorization vulnerability found in WeKan versions up to 8.20, specifically in the Position-History Tracking component within the file server/methods/positionHistory.js.
The vulnerability arises because the software fails to perform adequate authorization checks when users attempt to access or manipulate position history data related to swimlanes, lists, and cards.
This flaw allows remote attackers to bypass authorization controls, potentially accessing sensitive position-history information without proper permissions.
The issue is fixed by upgrading to WeKan version 8.21, which includes a patch that enforces strict authentication and authorization checks.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of position-history data for swimlanes, lists, and cards within WeKan boards.
Attackers can remotely exploit this flaw without needing local or physical access, potentially gaining access to sensitive information about board activities and changes.
While it does not directly affect data integrity or availability, the confidentiality impact can expose sensitive project management details to unauthorized parties.
The ease of exploitation is moderate, and the vulnerability has a CVSSv3 base score of 4.3, indicating a medium severity risk.
Mitigation requires upgrading to version 8.21 or later, which enforces proper user authentication and board access authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization checks in the Position-History Tracking component of WeKan, allowing unauthorized remote access to position history data. Detection involves verifying whether unauthorized users can access position history data of swimlanes, lists, or cards without proper authentication and authorization.
Since the vulnerability is related to server-side methods in the file server/methods/positionHistory.js, detection can be performed by attempting to call these methods remotely without proper authentication or with a user lacking access rights to the relevant board.
Suggested commands or steps to detect the vulnerability include:
- Attempt to invoke position history related API endpoints or Meteor methods (such as trackSwimlane, trackList, trackCard, getSwimlaneOriginalPosition, getListOriginalPosition, getCardOriginalPosition, etc.) without authentication or with a user lacking board access.
- Monitor network traffic for unauthorized access attempts to position history data.
- Use application logs to identify calls to positionHistory methods that do not enforce proper authorization.
No specific command-line commands are provided in the available resources, but testing can be done via API calls or Meteor method invocations simulating unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade WeKan to version 8.21 or later, which includes a patch that enforces proper authentication and authorization checks in the positionHistory.js methods.
This patch ensures that all position history related methods verify that the caller is authenticated and authorized to access the relevant board, preventing unauthorized access.
Until the upgrade can be applied, consider restricting remote access to the affected Position-History Tracking component or disabling position history features if possible to reduce exposure.