CVE-2026-1963
Improper Access Control in WeKan Attachment Storage Allows Remote Exploit
Publication date: 2026-02-05
Last updated on: 2026-03-06
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-1963 is an improper access control vulnerability in the Wekan application, specifically in the attachment storage component within the file models/attachments.js. It allows unauthorized users to bypass access restrictions and perform operations on attachments without proper authorization.
The vulnerability arises because the application did not consistently enforce user authentication, board visibility, and privilege checks when handling attachment storage operations. This flaw could be exploited remotely.
The security fix introduces strict authentication and authorization checks, including verifying that the user is logged in, confirming the attachment exists, ensuring the user has access to the associated board, and restricting storage destinations to an allowlist. These measures prevent unauthorized access and improper handling of attachments.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to access, manipulate, or move attachments within the Wekan application without proper permissions.
Such unauthorized access can lead to data leakage, modification, or deletion of attachments, compromising the confidentiality, integrity, and availability of your data.
Because the attack can be launched remotely, it increases the risk of exploitation by attackers who do not have local access to the system.
Overall, this can undermine trust in the application and potentially expose sensitive information stored in attachments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary and immediate step to mitigate this vulnerability is to upgrade the Wekan application to version 8.21 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': 'The patch enforces strict authentication and authorization checks on attachment storage operations, preventing unauthorized access and improper handling.'}, {'type': 'list_item', 'content': 'Upgrade Wekan to version 8.21.'}, {'type': 'list_item', 'content': 'Ensure that only authenticated users can perform attachment operations.'}, {'type': 'list_item', 'content': 'Verify that users have proper access rights to boards before allowing attachment storage operations.'}, {'type': 'list_item', 'content': "Restrict storage destination options to approved backends such as 'fs', 'gridfs', and 's3'."}] [1, 2, 3]