CVE-2026-30846
Unauthorized Data Exposure in Wekan Global Webhooks Publication
Publication date: 2026-03-06
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | From 8.31 (inc) to 8.33 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-30846 is a vulnerability in Wekan versions 8.31.0 through 8.33 where the globalwebhooks publication exposes all global webhook integrations, including sensitive URL and token fields, without performing any authentication checks on the server side.
This means that any DDP client, even unauthenticated ones, can subscribe to this publication and receive sensitive webhook data that should normally be restricted to administrators.
The vulnerability arises because the server-side publication lacks access control, allowing unauthorized users to retrieve global webhook URLs and authentication tokens.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive webhook URLs and authentication tokens.
An attacker who exploits this flaw can gain unauthorized access to global webhook integrations, potentially allowing them to misuse these webhooks and access connected external services.
Such unauthorized access could result in data breaches, manipulation of data flows, or other malicious activities leveraging the compromised webhook tokens.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if any unauthenticated DDP clients are able to subscribe to the 'globalwebhooks' publication and receive sensitive webhook URLs and tokens."}, {'type': 'paragraph', 'content': "One way to detect exploitation attempts is to monitor network traffic for DDP subscription requests to the 'globalwebhooks' publication from unauthorized or unauthenticated clients."}, {'type': 'paragraph', 'content': 'You can use network analysis tools like tcpdump or Wireshark to capture traffic on the port used by the Meteor application (usually 3000) and filter for DDP subscription messages.'}, {'type': 'list_item', 'content': 'Use tcpdump to capture traffic on port 3000: tcpdump -i any port 3000 -w wekan_ddp.pcap'}, {'type': 'list_item', 'content': "Analyze the capture with Wireshark and filter for DDP subscription messages containing 'globalwebhooks'."}, {'type': 'list_item', 'content': "Alternatively, check Wekan server logs for any subscription requests to 'globalwebhooks' from unauthenticated users if logging is enabled."}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Wekan to version 8.34 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The fix enforces authentication and authorization checks on the 'globalwebhooks' publication, ensuring only logged-in administrators can access sensitive webhook data."}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, consider restricting network access to the Meteor application's DDP port to trusted users only, and monitor for suspicious subscription attempts."}, {'type': 'paragraph', 'content': 'Review and rotate any potentially exposed webhook tokens to prevent unauthorized use.'}] [2]