CVE-2026-30845
Unauthorized Token Exposure in Wekan Board Composite Publication
Publication date: 2026-03-06
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | From 8.31 (inc) to 8.33 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Wekan versions 8.31.0 through 8.33 involves the board composite publication function which publishes all integration data for a board without filtering sensitive fields.
This means that sensitive information such as webhook URLs and authentication tokens are exposed to any subscriber of the board publication.
Since board publications are accessible to all board members regardless of their role, including read-only and comment-only users, and even to unauthenticated clients for public boards, any user who can access a board can retrieve these webhook credentials.
This token leak allows attackers to make unauthenticated requests to the exposed webhooks, potentially triggering unauthorized actions in connected external services.
The issue was fixed in version 8.34 by excluding the sensitive token field from the published data.
How can this vulnerability impact me? :
This vulnerability can impact you by exposing sensitive webhook URLs and authentication tokens to any user who can access a Wekan board.
Attackers could use these leaked tokens to make unauthorized and unauthenticated requests to the webhooks.
Such unauthorized actions could trigger unintended operations in external services connected via these webhooks, potentially leading to data manipulation, service disruption, or other malicious activities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the data published by the Wekan board composite publication, specifically looking for exposed webhook URLs and authentication tokens in the integration data accessible to board members or unauthenticated clients.'}, {'type': 'paragraph', 'content': 'Since the vulnerability involves the publication of sensitive fields without filtering, you can detect it by subscribing to the board composite publication and inspecting the integration data for the presence of webhook tokens.'}, {'type': 'paragraph', 'content': "Commands or steps to detect this might include using Meteor's DDP client tools or scripts to subscribe to the board publication and query the integration data, checking if the 'token' field is present."}, {'type': 'list_item', 'content': 'Use a DDP client (e.g., ddp-client or meteor-shell) to connect to the Wekan server.'}, {'type': 'list_item', 'content': "Subscribe to the 'board' publication for a given board ID."}, {'type': 'list_item', 'content': "Inspect the returned integration data for fields like 'webhook URL' and 'token'."}, {'type': 'list_item', 'content': "If the 'token' field is present in the integration data, the system is vulnerable."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Wekan to version 8.34 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The fix involves modifying the board composite publication to exclude the sensitive 'token' field from the integration data published to clients."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider restricting access to board publications to trusted users only, or disabling public boards temporarily to prevent unauthenticated access.'}, {'type': 'list_item', 'content': 'Upgrade Wekan to version 8.34 or later.'}, {'type': 'list_item', 'content': "Apply the patch that excludes the 'token' field from the ReactiveCache.getIntegrations call in the board publication."}, {'type': 'list_item', 'content': 'Restrict board access permissions to prevent unauthorized users from subscribing to board publications.'}, {'type': 'list_item', 'content': 'Disable public boards if possible until the fix is applied.'}] [2]