CVE-2026-2205
Information Disclosure in WeKan Meteor Publication Handler (cards.js
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2205 is an information disclosure vulnerability in WeKan versions up to 8.20, specifically in the Meteor Publication Handler component within the file server/publications/cards.js.
The vulnerability occurs because the publication mechanism does not properly verify if the requesting user has permission to view the parent board before returning card data.
This improper access control allows unauthorized remote attackers to access sensitive card information they should not see, leading to exposure of confidential data.
The issue is classified under CWE-200 (Exposure of Sensitive Information) and can be exploited remotely without local access.
Mitigation involves upgrading WeKan to version 8.21, which includes a patch that enforces strict permission checks and board visibility validation before publishing card data.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive information contained in cards within the WeKan application.
Attackers exploiting this flaw can remotely access confidential card data without proper authorization, compromising the confidentiality of your information.
Such information leakage could expose business-sensitive details, project data, or personal information depending on the content of the cards.
The exploit is considered easy to perform, increasing the risk of unauthorized data access.
To prevent this impact, it is advised to upgrade to WeKan version 8.21 where the vulnerability has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized remote access to card data via Meteor publications in WeKan versions up to 8.20. Detection would involve monitoring for unusual or unauthorized access patterns to the Meteor publication endpoints, especially those related to card data.
Since the vulnerability is related to the publication functions in the file server/publications/cards.js, you can check the version of WeKan running on your system to see if it is 8.20 or earlier, which are vulnerable.
Commands to detect the vulnerability could include:
- Check the installed WeKan version: `wekan --version` or check the version in your deployment manifest or Docker image tags.
- Monitor network traffic for suspicious access to Meteor publication endpoints related to cards, for example by inspecting HTTP requests to `/sockjs` or WebSocket connections used by Meteor.
- Review logs for unauthorized access attempts or unusual queries to the card publication, if logging is enabled.
No specific detection commands or signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade WeKan to version 8.21 or later, which includes the patch that fixes this vulnerability.
The patch (commit ID: 0f5a9c38778ca550cbab6c5093470e1e90cb837f) strengthens access control by adding early return checks for card existence and board visibility, and enforces strict permission checks for users with assigned-only roles.
If immediate upgrade is not possible, consider restricting network access to the Meteor publication endpoints to trusted users only, and monitor for suspicious activity.
Review and tighten access control policies around board and card data in your WeKan deployment.