CVE-2026-30847
Received Received - Intake
Insecure Data Exposure in Wekan NotificationUsers Publication

Publication date: 2026-03-06

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and any stored OAuth tokens. Unlike Meteor's default auto-publication which strips the services field for security, custom publications return whatever fields the cursor contains, meaning all subscribers receive the complete user documents. Any authenticated user who triggers this publication can harvest credentials and active session tokens for other users, enabling password cracking, session hijacking, and full account takeover. This issue has been fixed in version 8.34.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30847
EUVD
EUVD-2026-10066
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wekan_project wekan From 8.31 (inc) to 8.33 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-30847 is a vulnerability in Wekan, an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication returns user documents without filtering any fields. This causes the ReactiveCache.getUsers() call to expose all user data, including highly sensitive information such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and stored OAuth tokens.'}, {'type': 'paragraph', 'content': "Unlike Meteor's default behavior which hides sensitive fields like services, this custom publication returns all fields present in the database cursor. As a result, any authenticated user who triggers this publication can access credentials and active session tokens of other users, enabling attacks like password cracking, session hijacking, and full account takeover."}] [2]

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive user credentials and tokens. Attackers can harvest bcrypt password hashes, active session tokens, and email verification tokens from other users.

With this information, attackers can perform password cracking, hijack active user sessions, and take over user accounts completely. This compromises user privacy and security, potentially leading to data breaches and unauthorized access to sensitive information.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves the notificationUsers publication in Wekan returning user documents with no field filtering, exposing sensitive user data. To detect exploitation attempts, monitor network traffic or application logs for calls to the notificationUsers publication from authenticated users.'}, {'type': 'paragraph', 'content': 'You can check for suspicious access patterns or queries that retrieve full user documents including sensitive fields such as services.password.bcrypt or services.resume.loginTokens.'}, {'type': 'paragraph', 'content': "Since the vulnerability is in the Meteor.publish function named 'notificationUsers', you can audit your Wekan server logs for calls to this publication."}, {'type': 'paragraph', 'content': 'Example commands to detect such activity might include:'}, {'type': 'list_item', 'content': "Using grep or similar tools to search server logs for 'notificationUsers' publication calls."}, {'type': 'list_item', 'content': "Monitoring network traffic for Meteor DDP subscription messages requesting 'notificationUsers'."}, {'type': 'list_item', 'content': 'Querying the database or application logs for unexpected queries returning full user documents.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation is to upgrade Wekan to version 8.34 or later, where the vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'The fix restricts the fields published by the notificationUsers publication to only non-sensitive user attributes such as username, profile.fullname, profile.avatarUrl, and profile.initials.'}, {'type': 'paragraph', 'content': "If immediate upgrade is not possible, you should modify the Meteor.publish function named 'notificationUsers' in the server/publications/notifications.js file to explicitly specify a fields object that limits the user data exposed."}, {'type': 'paragraph', 'content': 'Additionally, review and restrict access to this publication to only trusted users or roles if possible.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30847. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart