Login Sign Up

CVE-2026-1962

6.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in WeKan's attachment migration component allows attackers to bypass access controls and potentially access or manipulate attachments they shouldn't have permission to. It affects all WeKan instances up to version 8.20, and can be exploited remotely without authentication.

💻 Affected Systems

Products:
  • WeKan
Versions: All versions up to 8.20
Operating Systems: All platforms running WeKan
Default Config Vulnerable: ⚠️ Yes
Notes: All WeKan deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive attachments, modify board content, or potentially escalate privileges within the WeKan instance.

🟠

Likely Case

Unauthorized access to attachments and board data that should be restricted, potentially exposing confidential information.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to the WeKan application data only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability involves improper access controls in attachment migration, which typically requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.21

Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.21

Restart Required: Yes

Instructions:

1. Backup your WeKan data and configuration. 2. Stop the WeKan service. 3. Update to WeKan version 8.21 or later. 4. Restart the WeKan service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable attachment migration feature

all

Temporarily disable the attachment migration functionality if not actively needed

Network isolation

all

Restrict network access to WeKan instance to trusted networks only

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Monitor for suspicious attachment access patterns and implement additional authentication layers

🔍 How to Verify

Check if Vulnerable:

Check WeKan version via admin interface or by examining the running container/process version

Check Version:

Check WeKan admin panel or run: docker inspect wekan/wekan | grep WEKAN_VERSION

Verify Fix Applied:

Confirm version is 8.21 or later and test attachment access controls

📡 Detection & Monitoring

Log Indicators:

  • Unusual attachment access patterns
  • Failed authentication attempts followed by successful attachment access
  • Access to attachments from unauthorized users

Network Indicators:

  • Unusual HTTP requests to attachment endpoints
  • Requests bypassing normal authentication flows

SIEM Query:

source="wekan" AND (event="attachment_access" OR event="file_download") AND user NOT IN authorized_users

📊 Metadata

CVE ID: CVE-2026-1962
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-266
EPSS Score: 0.02% exploit probability (5.3th percentile)
Published: February 5, 2026
Last Updated: February 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1962, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)