Login Sign Up

CVE-2026-2205

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This vulnerability in WeKan allows remote attackers to access sensitive information through the Meteor Publication Handler in the cards.js component. It affects all WeKan instances up to version 8.20. Attackers can exploit this without authentication to potentially view confidential card data.

💻 Affected Systems

Products:
  • WeKan
Versions: All versions up to 8.20
Operating Systems: All platforms running WeKan
Default Config Vulnerable: ⚠️ Yes
Notes: All WeKan deployments using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete exposure of all card data including sensitive business information, user details, and potentially authentication tokens.

🟠

Likely Case

Unauthorized access to card contents, board metadata, and user information leading to data leakage.

🟢

If Mitigated

Limited or no data exposure if proper network segmentation and access controls are implemented.

🌐 Internet-Facing: HIGH - Remote exploitation without authentication makes internet-facing instances particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit this, but network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Remote exploitation without authentication suggests relatively simple attack vectors.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.21

Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.21

Restart Required: Yes

Instructions:

1. Backup your WeKan data and configuration. 2. Stop the WeKan service. 3. Update to WeKan version 8.21 using your package manager or deployment method. 4. Restart the WeKan service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Isolation

linux

Restrict network access to WeKan instances to trusted IP addresses only

iptables -A INPUT -p tcp --dport 3000 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure to trusted networks only
  • Monitor for unusual access patterns to the cards.js endpoint and investigate anomalies

🔍 How to Verify

Check if Vulnerable:

Check WeKan version: if version is 8.20 or lower, the system is vulnerable

Check Version:

Check WeKan admin panel or run: docker inspect wekan/wekan | grep WEKAN_VERSION

Verify Fix Applied:

Verify version is 8.21 or higher and test that card data access follows proper authorization

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to /publications/cards.js endpoint
  • Multiple failed authentication attempts followed by successful card data access

Network Indicators:

  • External IP addresses accessing card publication endpoints without prior authentication

SIEM Query:

source="wekan" AND (uri_path="/publications/cards.js" OR uri_path="/cards") AND http_status=200 AND NOT user_agent="browser_agent"

📊 Metadata

CVE ID: CVE-2026-2205
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
EPSS Score: 0.03% exploit probability (9.6th percentile)
Published: February 8, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2205, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)