CVE-2026-1898
Unknown Unknown - Not Provided
Improper Access Control in WeKan LDAP User Sync Allows Remote Exploitation

Publication date: 2026-02-05

Last updated on: 2026-02-10

Assigner: VulDB

Description
A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to mitigate this issue. Patch name: 146905a459106b5d00b4f09453a6554255e6965a. You should upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-10
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1898
EUVD
EUVD-2026-5537
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wekan_project wekan to 8.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1898 is a vulnerability in Wekan versions up to 8.20, specifically in the LDAP User Sync component. The issue arises because the LDAP synchronization method lacked proper authorization checks, allowing non-admin users to trigger LDAP user synchronization. This means unauthorized users could manipulate the synchronization process, potentially leading to unauthorized data access or changes. The vulnerability is due to commented-out authorization code that should have restricted this action to administrators only.

The security fix enforces that only users with administrative privileges (verified by checking if the user is an admin) can invoke the LDAP synchronization method, preventing unauthorized access.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to remotely trigger LDAP user synchronization in Wekan, potentially leading to unauthorized access, manipulation, or leakage of user data synchronized from LDAP.

The flaw affects the confidentiality, integrity, and availability of the system, as unauthorized actors could manipulate data or disrupt normal operations.

Exploitation is relatively easy remotely, although no public exploit is currently known. The vulnerability has a moderate severity score (CVSS v3 base score 6.3).

Upgrading to Wekan version 8.21 or later mitigates this risk.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves improper access controls in the LDAP User Sync component of Wekan versions up to 8.20, specifically allowing non-admin users to trigger LDAP synchronization remotely.

To detect this vulnerability on your system, you should check the version of Wekan running and verify if it is version 8.20 or earlier.

Additionally, you can audit the LDAP synchronization calls to see if non-admin users are able to invoke the ldap_sync_users Meteor method.

Suggested commands include:

  • Check Wekan version: `wekan --version` or inspect the deployed version metadata.
  • Review server logs for calls to LDAP sync functions triggered by non-admin users.
  • If you have access to the Wekan server code, verify if the authorization check on `user.isAdmin` is present in `packages/wekan-ldap/server/syncUser.js`.
Mitigation Strategies

The primary and recommended mitigation is to upgrade Wekan to version 8.21 or later, where this vulnerability has been fixed.

The fix enforces that only users with administrative privileges (verified via `user.isAdmin`) can invoke the LDAP synchronization process.

If upgrading immediately is not possible, review and apply the patch identified by commit 146905a459106b5d00b4f09453a6554255e6965a to enforce proper authorization checks.

Also, consider restricting network access to the LDAP synchronization endpoint to trusted administrators only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1898. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart