CVE-2026-1898
Improper Access Control in WeKan LDAP User Sync Allows Remote Exploitation
Publication date: 2026-02-05
Last updated on: 2026-02-10
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1898 is a vulnerability in Wekan versions up to 8.20, specifically in the LDAP User Sync component. The issue arises because the LDAP synchronization method lacked proper authorization checks, allowing non-admin users to trigger LDAP user synchronization. This means unauthorized users could manipulate the synchronization process, potentially leading to unauthorized data access or changes. The vulnerability is due to commented-out authorization code that should have restricted this action to administrators only.
The security fix enforces that only users with administrative privileges (verified by checking if the user is an admin) can invoke the LDAP synchronization method, preventing unauthorized access.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to remotely trigger LDAP user synchronization in Wekan, potentially leading to unauthorized access, manipulation, or leakage of user data synchronized from LDAP.
The flaw affects the confidentiality, integrity, and availability of the system, as unauthorized actors could manipulate data or disrupt normal operations.
Exploitation is relatively easy remotely, although no public exploit is currently known. The vulnerability has a moderate severity score (CVSS v3 base score 6.3).
Upgrading to Wekan version 8.21 or later mitigates this risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper access controls in the LDAP User Sync component of Wekan versions up to 8.20, specifically allowing non-admin users to trigger LDAP synchronization remotely.
To detect this vulnerability on your system, you should check the version of Wekan running and verify if it is version 8.20 or earlier.
Additionally, you can audit the LDAP synchronization calls to see if non-admin users are able to invoke the ldap_sync_users Meteor method.
Suggested commands include:
- Check Wekan version: `wekan --version` or inspect the deployed version metadata.
- Review server logs for calls to LDAP sync functions triggered by non-admin users.
- If you have access to the Wekan server code, verify if the authorization check on `user.isAdmin` is present in `packages/wekan-ldap/server/syncUser.js`.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation is to upgrade Wekan to version 8.21 or later, where this vulnerability has been fixed.
The fix enforces that only users with administrative privileges (verified via `user.isAdmin`) can invoke the LDAP synchronization process.
If upgrading immediately is not possible, review and apply the patch identified by commit 146905a459106b5d00b4f09453a6554255e6965a to enforce proper authorization checks.
Also, consider restricting network access to the LDAP synchronization endpoint to trusted administrators only.