CVE-2026-30846
Received Received - Intake
Unauthorized Data Exposure in Wekan Global Webhooks Publication

Publication date: 2026-03-06

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30846
EUVD
EUVD-2026-10065
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wekan_project wekan From 8.31 (inc) to 8.33 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30846 is a vulnerability in Wekan versions 8.31.0 through 8.33 where the globalwebhooks publication exposes all global webhook integrations, including sensitive URL and token fields, without performing any authentication checks on the server side.

This means that any DDP client, even unauthenticated ones, can subscribe to this publication and receive sensitive webhook data that should normally be restricted to administrators.

The vulnerability arises because the server-side publication lacks access control, allowing unauthorized users to retrieve global webhook URLs and authentication tokens.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive webhook URLs and authentication tokens.

An attacker who exploits this flaw can gain unauthorized access to global webhook integrations, potentially allowing them to misuse these webhooks and access connected external services.

Such unauthorized access could result in data breaches, manipulation of data flows, or other malicious activities leveraging the compromised webhook tokens.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if any unauthenticated DDP clients are able to subscribe to the 'globalwebhooks' publication and receive sensitive webhook URLs and tokens."}, {'type': 'paragraph', 'content': "One way to detect exploitation attempts is to monitor network traffic for DDP subscription requests to the 'globalwebhooks' publication from unauthorized or unauthenticated clients."}, {'type': 'paragraph', 'content': 'You can use network analysis tools like tcpdump or Wireshark to capture traffic on the port used by the Meteor application (usually 3000) and filter for DDP subscription messages.'}, {'type': 'list_item', 'content': 'Use tcpdump to capture traffic on port 3000: tcpdump -i any port 3000 -w wekan_ddp.pcap'}, {'type': 'list_item', 'content': "Analyze the capture with Wireshark and filter for DDP subscription messages containing 'globalwebhooks'."}, {'type': 'list_item', 'content': "Alternatively, check Wekan server logs for any subscription requests to 'globalwebhooks' from unauthenticated users if logging is enabled."}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Wekan to version 8.34 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "The fix enforces authentication and authorization checks on the 'globalwebhooks' publication, ensuring only logged-in administrators can access sensitive webhook data."}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, consider restricting network access to the Meteor application's DDP port to trusted users only, and monitor for suspicious subscription attempts."}, {'type': 'paragraph', 'content': 'Review and rotate any potentially exposed webhook tokens to prevent unauthorized use.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart