CVE-2026-30847
Insecure Data Exposure in Wekan NotificationUsers Publication
Publication date: 2026-03-06
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | From 8.31 (inc) to 8.33 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-30847 is a vulnerability in Wekan, an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication returns user documents without filtering any fields. This causes the ReactiveCache.getUsers() call to expose all user data, including highly sensitive information such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and stored OAuth tokens.'}, {'type': 'paragraph', 'content': "Unlike Meteor's default behavior which hides sensitive fields like services, this custom publication returns all fields present in the database cursor. As a result, any authenticated user who triggers this publication can access credentials and active session tokens of other users, enabling attacks like password cracking, session hijacking, and full account takeover."}] [2]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized disclosure of sensitive user credentials and tokens. Attackers can harvest bcrypt password hashes, active session tokens, and email verification tokens from other users.
With this information, attackers can perform password cracking, hijack active user sessions, and take over user accounts completely. This compromises user privacy and security, potentially leading to data breaches and unauthorized access to sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves the notificationUsers publication in Wekan returning user documents with no field filtering, exposing sensitive user data. To detect exploitation attempts, monitor network traffic or application logs for calls to the notificationUsers publication from authenticated users.'}, {'type': 'paragraph', 'content': 'You can check for suspicious access patterns or queries that retrieve full user documents including sensitive fields such as services.password.bcrypt or services.resume.loginTokens.'}, {'type': 'paragraph', 'content': "Since the vulnerability is in the Meteor.publish function named 'notificationUsers', you can audit your Wekan server logs for calls to this publication."}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Using grep or similar tools to search server logs for 'notificationUsers' publication calls."}, {'type': 'list_item', 'content': "Monitoring network traffic for Meteor DDP subscription messages requesting 'notificationUsers'."}, {'type': 'list_item', 'content': 'Querying the database or application logs for unexpected queries returning full user documents.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Wekan to version 8.34 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'The fix restricts the fields published by the notificationUsers publication to only non-sensitive user attributes such as username, profile.fullname, profile.avatarUrl, and profile.initials.'}, {'type': 'paragraph', 'content': "If immediate upgrade is not possible, you should modify the Meteor.publish function named 'notificationUsers' in the server/publications/notifications.js file to explicitly specify a fields object that limits the user data exposed."}, {'type': 'paragraph', 'content': 'Additionally, review and restrict access to this publication to only trusted users or roles if possible.'}] [1, 2]