Login Sign Up

CVE-2026-1964

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in WeKan allows improper access controls through the REST endpoint, potentially enabling unauthorized access to board data. It affects WeKan installations up to version 8.20. Remote attackers could exploit this to access or manipulate board information they shouldn't have permission to view.

💻 Affected Systems

Products:
  • WeKan
Versions: up to 8.20
Operating Systems: All platforms running WeKan
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the REST endpoint component specifically in models/boards.js

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users gain full access to sensitive board data, including confidential information, and potentially modify or delete board contents.

🟠

Likely Case

Limited unauthorized access to some board data, potentially exposing internal project information or user details.

🟢

If Mitigated

No impact if proper network segmentation and access controls prevent unauthorized access attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Remote exploitation is possible but requires some understanding of WeKan's REST API structure

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.21

Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.21

Restart Required: Yes

Instructions:

1. Backup your WeKan data and configuration. 2. Stop the WeKan service. 3. Update to WeKan version 8.21 using your package manager or manual installation. 4. Restart the WeKan service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Restrict REST API Access

linux

Use network controls to limit access to WeKan's REST API endpoints

iptables -A INPUT -p tcp --dport 3000 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WeKan from untrusted networks
  • Add additional authentication/authorization layer in front of WeKan REST endpoints

🔍 How to Verify

Check if Vulnerable:

Check WeKan version: if version is 8.20 or lower, system is vulnerable

Check Version:

Check WeKan admin interface or run: node -e "console.log(require('./package.json').version)" from WeKan directory

Verify Fix Applied:

Verify version is 8.21 or higher and test REST endpoint access controls

📡 Detection & Monitoring

Log Indicators:

  • Unusual REST API access patterns
  • Failed authentication attempts followed by successful board access
  • Access to /api/boards/ endpoints from unauthorized IPs

Network Indicators:

  • Unusual traffic to WeKan REST API endpoints
  • Multiple failed authentication attempts

SIEM Query:

source="wekan" AND (uri_path="/api/boards/*" OR method="POST" OR method="PUT" OR method="DELETE") AND NOT user IN authorized_users

📊 Metadata

CVE ID: CVE-2026-1964
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-266
EPSS Score: 0.05% exploit probability (14.7th percentile)
Published: February 5, 2026
Last Updated: February 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1964, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)