Login Sign Up

CVE-2026-2207

5.3 MEDIUM

📋 TL;DR

This vulnerability in WeKan versions up to 8.20 allows remote attackers to access sensitive information through the Activity Publication Handler component. The weakness in the activities.js file enables information disclosure, potentially exposing internal data. All users running affected WeKan versions are at risk.

💻 Affected Systems

Products:
  • WeKan
Versions: Up to and including version 8.20
Operating Systems: All platforms running WeKan
Default Config Vulnerable: ⚠️ Yes
Notes: All WeKan deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access sensitive user data, activity logs, or internal system information that could facilitate further attacks.

🟠

Likely Case

Unauthorized access to activity data and potentially user information that could be used for reconnaissance or targeted attacks.

🟢

If Mitigated

Limited exposure with proper network segmentation and access controls, though information leakage still possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Remote exploitation is possible, though specific exploit details are not publicly documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.21

Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.21

Restart Required: Yes

Instructions:

1. Backup your WeKan data and configuration. 2. Stop the WeKan service. 3. Update to WeKan version 8.21 using your package manager or manual installation. 4. Restart the WeKan service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to WeKan instance to trusted IP addresses only

# Use firewall rules to restrict access
iptables -A INPUT -p tcp --dport [WEKAN_PORT] -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport [WEKAN_PORT] -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to WeKan instance
  • Monitor access logs for unusual activity patterns and implement rate limiting

🔍 How to Verify

Check if Vulnerable:

Check WeKan version in admin panel or via package manager. Versions 8.20 and below are vulnerable.

Check Version:

dpkg -l | grep wekan  # Debian/Ubuntu or check WeKan admin interface

Verify Fix Applied:

Verify version is 8.21 or higher and check that commit 91a936e07d2976d4246dfe834281c3aaa87f9503 is present.

📡 Detection & Monitoring

Log Indicators:

  • Unusual access patterns to /server/publications/activities.js
  • Multiple failed access attempts followed by successful information retrieval

Network Indicators:

  • Unusual outbound data transfers from WeKan server
  • Requests to activity endpoints from unexpected sources

SIEM Query:

source="wekan" AND (uri_path="/server/publications/activities.js" OR activity="information_disclosure")

📊 Metadata

CVE ID: CVE-2026-2207
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-200
EPSS Score: 0.05% exploit probability (14.6th percentile)
Published: February 8, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2207, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)