CVE-2026-1894 – This vulnerability in WeKan allows attackers to... (How to Fix)

Q: What is the severity of CVE-2026-1894?

CVE-2026-1894 has a CVSS score of 6.3 (MEDIUM). This vulnerability in WeKan allows attackers to bypass authorization checks in the REST API by manipulating card/board ID parameters. Remote attackers can potentially access or modify data they shouldn't have permission to view. All WeKan instances up to version 8.20 are affected.

📋 TL;DR

This vulnerability in WeKan allows attackers to bypass authorization checks in the REST API by manipulating card/board ID parameters. Remote attackers can potentially access or modify data they shouldn't have permission to view. All WeKan instances up to version 8.20 are affected.

💻 Affected Systems

Products:

WeKan

Versions: All versions up to and including 8.20

Operating Systems: All platforms running WeKan

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the REST API component, specifically the checklistItems.js file

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data compromise where attackers can read, modify, or delete any cards, checklists, or board data in the system

🟠

Likely Case

Unauthorized access to sensitive board data, potentially exposing confidential information or allowing data manipulation

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, but still potential for data exposure

🌐 Internet-Facing: HIGH - Remote exploitation is possible, making internet-facing instances particularly vulnerable

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to escalate privileges or access unauthorized data

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires some authentication but authorization bypass allows escalation. The patch commit shows specific parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.21

Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.21

Restart Required: Yes

Instructions:

1. Backup your WeKan data and configuration
2. Stop the WeKan service
3. Update to WeKan version 8.21 or later
4. Restart the WeKan service
5. Verify the update was successful

🔧 Temporary Workarounds

Restrict API Access

all

Limit access to the WeKan REST API endpoints using network controls or web application firewall rules

Disable Unnecessary API Endpoints

all

Temporarily disable or restrict the affected REST API endpoints if not required for operations

🧯 If You Can't Patch

Implement strict network segmentation to isolate WeKan instances from untrusted networks
Enhance monitoring of API access patterns and implement anomaly detection for unusual parameter manipulation

🔍 How to Verify

Check if Vulnerable:

Check WeKan version. If version is 8.20 or earlier, the system is vulnerable

Check Version:

Check WeKan web interface settings or run appropriate version check command for your deployment method

Verify Fix Applied:

Verify version is 8.21 or later and check that the patch commit 251d49eea94834cf351bb395808f4a56fb4dbb44 is present

📡 Detection & Monitoring

Log Indicators:

Unusual API requests to checklistItems endpoints with manipulated ID parameters
Failed authorization attempts followed by successful requests with similar parameters
Access patterns showing users accessing boards/cards they shouldn't have permissions for

Network Indicators:

Unusual REST API traffic patterns, particularly to models/checklistItems endpoints
Multiple requests with varying cardId/checklistId/boardId parameters from single sources

SIEM Query:

source="wekan" AND (uri_path="/api/boards/*/cards/*/checklists/*/items" OR uri_path CONTAINS "checklistItems") AND (http_status=200 OR http_status=201) AND user_id NOT IN authorized_users_for_resource

📊 Metadata

CVE ID: CVE-2026-1894

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: February 4, 2026

Last Updated: February 11, 2026

🔗 References

https://github.com/wekan/wekan/ Product
https://github.com/wekan/wekan/commit/251d49eea94834cf351bb395808f4a56fb4dbb44 Patch
https://github.com/wekan/wekan/releases/tag/v8.21 Product,Release Notes
https://vuldb.com/?ctiid.344266 Permissions Required,VDB Entry
https://vuldb.com/?id.344266 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.742663 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1894, you might also want to check these: