CVE-2026-1962
Improper Access Control in WeKan Attachment Migration Component
Publication date: 2026-02-05
Last updated on: 2026-02-12
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1962 is an improper access control vulnerability found in WeKan versions up to 8.20, specifically in the attachment migration component within the file server/attachmentMigration.js.
This flaw allows unauthorized users to remotely manipulate attachment migration operations or access migration status information without proper privileges.
The vulnerability arises because the affected methods did not consistently verify that the caller had sufficient privileges on the target board.
The issue is fixed in version 8.21 by enforcing strict access control checks requiring users to be board or instance administrators for migration actions, and to have board visibility for status queries.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized access and manipulation of attachment migration processes in WeKan boards.'}, {'type': 'paragraph', 'content': 'An attacker could potentially access confidential information, alter migration data, or disrupt the availability and integrity of attachments by exploiting the improper access controls.'}, {'type': 'paragraph', 'content': 'Since the attack can be initiated remotely without user interaction, it increases the risk of exploitation.'}, {'type': 'paragraph', 'content': "Overall, it may compromise the confidentiality, integrity, and availability of the system's data related to attachments."}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves improper access control in the attachment migration functionality of WeKan up to version 8.20. Detection would involve verifying whether unauthorized users can access or invoke attachment migration methods without proper privileges.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to unauthorized access to specific Meteor methods in the server/attachmentMigration.js file, detection can be approached by monitoring or testing access to these methods:'}, {'type': 'list_item', 'content': 'Attempt to call the following Meteor methods remotely without authentication or with a non-admin user to check if access is improperly granted: migrateBoardAttachments(boardId), getMigrationProgress(boardId), getUnconvertedAttachments(boardId), isBoardMigrated(boardId).'}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect unusual or unauthorized API calls related to attachment migration endpoints.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but example commands might include using curl or similar tools to invoke the API endpoints if exposed, or using Meteor shell commands to test method access if you have server access.'}, {'type': 'list_item', 'content': 'Example curl command to test migration progress access (replace placeholders accordingly): curl -X POST -H "Content-Type: application/json" -d \'{"method":"getMigrationProgress","params":["<boardId>"]}\' http://<wekan-server>/api'}, {'type': 'list_item', 'content': "Check server logs for unauthorized access attempts or errors related to 'not-authorized' responses from attachment migration methods."}] [1, 2, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation for this vulnerability is to upgrade WeKan to version 8.21 or later, where the issue has been fixed.
The patch enforces strict access control checks requiring users to be either board administrators or instance administrators to perform attachment migration operations, and users must have visibility of the board to access migration status or progress.
- Upgrade WeKan to version 8.21, which includes the patch identified by commit ID 053bf1dfb76ef230db162c64a6ed50ebedf67eee.
- Restrict access to attachment migration endpoints and monitor usage until the upgrade is applied.
- Review user privileges and ensure that only authorized board or instance administrators have access to migration functions.