CVE-2026-1892
📋 TL;DR
This CVE describes an improper authorization vulnerability in WeKan's REST API that allows attackers to manipulate board organization settings through specific parameters. Attackers could potentially modify board permissions or access unauthorized data. The vulnerability affects WeKan instances up to version 8.20 that are exposed to network access.
💻 Affected Systems
- WeKan
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could gain unauthorized administrative access to boards, modify board permissions, access sensitive data, or disrupt board functionality across the entire WeKan instance.
Likely Case
Attackers with some level of access could escalate privileges within specific boards, modify board settings they shouldn't have access to, or access board data beyond their authorized scope.
If Mitigated
With proper network segmentation and access controls, the impact would be limited to authorized users attempting privilege escalation within their accessible scope.
🎯 Exploit Status
The vulnerability requires manipulation of specific parameters (item.cardId/item.checklistId/card.boardId) and the exploit is reported as difficult with high complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.21
Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.21
Restart Required: Yes
Instructions:
1. Backup your WeKan instance and data. 2. Stop the WeKan service. 3. Update to WeKan version 8.21 or later. 4. Restart the WeKan service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to WeKan instance to only trusted users and networks
Use firewall rules to limit access: iptables -A INPUT -p tcp --dport [wekan-port] -s [trusted-network] -j ACCEPT
iptables -A INPUT -p tcp --dport [wekan-port] -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation and limit WeKan access to only necessary users
- Monitor for suspicious API calls to the setBoardOrgs function and related board manipulation activities
🔍 How to Verify
Check if Vulnerable:
Check WeKan version: docker exec [wekan-container] node --version or check package.json versionCheck Version:
docker exec [wekan-container] grep version /app/programs/server/package.jsonVerify Fix Applied:
Verify version is 8.21 or higher and check that commit cabfeed9a68e21c469bf206d8655941444b9912c is present📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to setBoardOrgs function
- Multiple failed authorization attempts on board operations
- Unexpected board permission changes
Network Indicators:
- Unusual patterns of REST API calls to board manipulation endpoints
- Requests manipulating item.cardId, item.checklistId, or card.boardId parameters
SIEM Query:
source="wekan-logs" AND ("setBoardOrgs" OR "unauthorized board access" OR "permission escalation")