CVE-2026-1963
Unknown Unknown - Not Provided
Improper Access Control in WeKan Attachment Storage Allows Remote Exploit

Publication date: 2026-02-05

Last updated on: 2026-03-06

Assigner: VulDB

Description
A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates this issue. The patch is identified as c413a7e860bc4d93fe2adcf82516228570bf382d. Upgrading the affected component is advised.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-05
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-02-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1963
EUVD
EUVD-2026-5526
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wekan_project wekan to 8.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1963 is an improper access control vulnerability in the Wekan application, specifically in the attachment storage component within the file models/attachments.js. It allows unauthorized users to bypass access restrictions and perform operations on attachments without proper authorization.

The vulnerability arises because the application did not consistently enforce user authentication, board visibility, and privilege checks when handling attachment storage operations. This flaw could be exploited remotely.

The security fix introduces strict authentication and authorization checks, including verifying that the user is logged in, confirming the attachment exists, ensuring the user has access to the associated board, and restricting storage destinations to an allowlist. These measures prevent unauthorized access and improper handling of attachments.

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to access, manipulate, or move attachments within the Wekan application without proper permissions.

Such unauthorized access can lead to data leakage, modification, or deletion of attachments, compromising the confidentiality, integrity, and availability of your data.

Because the attack can be launched remotely, it increases the risk of exploitation by attackers who do not have local access to the system.

Overall, this can undermine trust in the application and potentially expose sensitive information stored in attachments.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary and immediate step to mitigate this vulnerability is to upgrade the Wekan application to version 8.21 or later, where the issue has been fixed.'}, {'type': 'paragraph', 'content': 'The patch enforces strict authentication and authorization checks on attachment storage operations, preventing unauthorized access and improper handling.'}, {'type': 'list_item', 'content': 'Upgrade Wekan to version 8.21.'}, {'type': 'list_item', 'content': 'Ensure that only authenticated users can perform attachment operations.'}, {'type': 'list_item', 'content': 'Verify that users have proper access rights to boards before allowing attachment storage operations.'}, {'type': 'list_item', 'content': "Restrict storage destination options to approved backends such as 'fs', 'gridfs', and 's3'."}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1963. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart