CVE-2026-2208
Authorization Bypass in WeKan Rules Handler Allows Remote Access
Publication date: 2026-02-08
Last updated on: 2026-02-11
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2208 is an authorization vulnerability in WeKan versions up to 8.20, specifically in the Rules Handler component within the file server/publications/rules.js. The vulnerability occurs because the system fails to properly check if a user is authorized before granting access to certain rule-related data. This missing authorization flaw allows remote attackers to access sensitive administrative data without proper permissions.
The issue is classified under CWE-862 (missing authorization) and can be exploited remotely without requiring local access or physical interaction. The vulnerability is moderate in severity with a CVSSv3 base score of 4.3.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized users to remotely access sensitive administrative data related to rules, triggers, actions, and reports within the Wekan platform. Such unauthorized access can lead to information disclosure, potentially exposing confidential or sensitive configuration details.
Although the vulnerability does not directly allow modification or destruction of data, the exposure of administrative automation data could aid attackers in further exploiting the system or understanding its internal configurations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization checks in the Wekan application, specifically in the server/publications/rules.js file. Detection would involve verifying if unauthorized access to rules, triggers, actions, or reports data is possible remotely without proper authentication or admin privileges.
Since the vulnerability is related to unauthorized data exposure via Meteor publications, detection could include monitoring network traffic for unauthorized API calls to these publications or attempting to access these endpoints without authentication or admin rights.
No specific detection commands are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary and recommended mitigation step is to upgrade Wekan to version 8.21 or later, which includes the patch that fixes this authorization vulnerability.
The patch (commit a787bcddf33ca28afb13ff5ea9a4cb92dceac005) enforces strict user authentication and authorization checks in the server/publications/rules.js file, ensuring only authenticated users with appropriate admin privileges can access sensitive rule-related data.
Until the upgrade can be applied, restrict access to the Wekan instance to trusted users only and monitor for any suspicious access attempts to the rules, triggers, actions, and reports data.