CVE-2026-1962
Unknown Unknown - Not Provided
Improper Access Control in WeKan Attachment Migration Component

Publication date: 2026-02-05

Last updated on: 2026-02-12

Assigner: VulDB

Description
A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1962
EUVD
EUVD-2026-5527
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wekan_project wekan to 8.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1962 is an improper access control vulnerability found in WeKan versions up to 8.20, specifically in the attachment migration component within the file server/attachmentMigration.js.

This flaw allows unauthorized users to remotely manipulate attachment migration operations or access migration status information without proper privileges.

The vulnerability arises because the affected methods did not consistently verify that the caller had sufficient privileges on the target board.

The issue is fixed in version 8.21 by enforcing strict access control checks requiring users to be board or instance administrators for migration actions, and to have board visibility for status queries.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized access and manipulation of attachment migration processes in WeKan boards.'}, {'type': 'paragraph', 'content': 'An attacker could potentially access confidential information, alter migration data, or disrupt the availability and integrity of attachments by exploiting the improper access controls.'}, {'type': 'paragraph', 'content': 'Since the attack can be initiated remotely without user interaction, it increases the risk of exploitation.'}, {'type': 'paragraph', 'content': "Overall, it may compromise the confidentiality, integrity, and availability of the system's data related to attachments."}] [1, 2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves improper access control in the attachment migration functionality of WeKan up to version 8.20. Detection would involve verifying whether unauthorized users can access or invoke attachment migration methods without proper privileges.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is related to unauthorized access to specific Meteor methods in the server/attachmentMigration.js file, detection can be approached by monitoring or testing access to these methods:'}, {'type': 'list_item', 'content': 'Attempt to call the following Meteor methods remotely without authentication or with a non-admin user to check if access is improperly granted: migrateBoardAttachments(boardId), getMigrationProgress(boardId), getUnconvertedAttachments(boardId), isBoardMigrated(boardId).'}, {'type': 'list_item', 'content': 'Use network monitoring tools to detect unusual or unauthorized API calls related to attachment migration endpoints.'}, {'type': 'paragraph', 'content': 'Specific commands depend on your environment, but example commands might include using curl or similar tools to invoke the API endpoints if exposed, or using Meteor shell commands to test method access if you have server access.'}, {'type': 'list_item', 'content': 'Example curl command to test migration progress access (replace placeholders accordingly): curl -X POST -H "Content-Type: application/json" -d \'{"method":"getMigrationProgress","params":["<boardId>"]}\' http://<wekan-server>/api'}, {'type': 'list_item', 'content': "Check server logs for unauthorized access attempts or errors related to 'not-authorized' responses from attachment migration methods."}] [1, 2, 3]

Mitigation Strategies

The primary and recommended mitigation for this vulnerability is to upgrade WeKan to version 8.21 or later, where the issue has been fixed.

The patch enforces strict access control checks requiring users to be either board administrators or instance administrators to perform attachment migration operations, and users must have visibility of the board to access migration status or progress.

  • Upgrade WeKan to version 8.21, which includes the patch identified by commit ID 053bf1dfb76ef230db162c64a6ed50ebedf67eee.
  • Restrict access to attachment migration endpoints and monitor usage until the upgrade is applied.
  • Review user privileges and ensure that only authorized board or instance administrators have access to migration functions.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1962. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart