Login Sign Up

CVE-2026-1895

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

CVE-2026-1895 is an improper access control vulnerability in WeKan's attachment storage handler that allows remote attackers to bypass intended restrictions. This affects WeKan versions up to 8.20, potentially enabling unauthorized access to or manipulation of attachments. Organizations using vulnerable WeKan instances for project management or collaboration are at risk.

💻 Affected Systems

Products:
  • WeKan
Versions: Up to and including version 8.20
Operating Systems: All platforms running WeKan
Default Config Vulnerable: ⚠️ Yes
Notes: All WeKan deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access, modify, or delete sensitive attachments across all boards and lists, potentially exposing confidential data or disrupting business operations.

🟠

Likely Case

Unauthorized access to attachments within boards where the attacker has some level of access, leading to data exposure or integrity issues.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact would be limited to authorized users within their designated access scope.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

The vulnerability requires some level of access to WeKan but can be exploited remotely. The specific manipulation technique is not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.21

Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.21

Restart Required: Yes

Instructions:

1. Backup your WeKan data and configuration
2. Stop the WeKan service
3. Update to WeKan version 8.21 or later
4. Restart the WeKan service
5. Verify the update was successful

🔧 Temporary Workarounds

Restrict network access

linux

Limit access to WeKan instance to trusted networks only

Use firewall rules to restrict access: iptables -A INPUT -p tcp --dport [wekan-port] -s [trusted-network] -j ACCEPT
iptables -A INPUT -p tcp --dport [wekan-port] -j DROP

🧯 If You Can't Patch

  • Implement strict access controls and user permissions within WeKan
  • Monitor attachment access logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check WeKan version in admin panel or via API endpoint

Check Version:

curl -s http://[wekan-host]:[port]/api/version || check admin panel

Verify Fix Applied:

Confirm version is 8.21 or higher and test attachment access controls

📡 Detection & Monitoring

Log Indicators:

  • Unusual attachment access patterns
  • Failed access attempts to restricted attachments
  • Multiple attachment operations from single user in short time

Network Indicators:

  • Unusual API calls to attachment endpoints
  • Traffic patterns suggesting attachment enumeration

SIEM Query:

source="wekan" AND (attachment_access OR file_download) AND user NOT IN [authorized_users]

📊 Metadata

CVE ID: CVE-2026-1895
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-266
EPSS Score: 0.05% exploit probability (15.1th percentile)
Published: February 4, 2026
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1895, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)