Login Sign Up

CVE-2026-2208

4.3 MEDIUM
Authentication Bypass

📋 TL;DR

This CVE describes a missing authorization vulnerability in WeKan's Rules Handler component that allows unauthorized access to functionality. Attackers can exploit this remotely to perform actions without proper authentication. All WeKan instances up to version 8.20 are affected.

💻 Affected Systems

Products:
  • WeKan
Versions: Up to version 8.20
Operating Systems: All platforms running WeKan
Default Config Vulnerable: ⚠️ Yes
Notes: All WeKan deployments using the Rules Handler component are vulnerable regardless of configuration.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could manipulate board rules, modify permissions, or access sensitive data they shouldn't have access to.

🟠

Likely Case

Attackers could bypass intended access controls to view or modify board content they shouldn't have permissions for.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to authorized users within the application.

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication.
🏢 Internal Only: MEDIUM - Internal attackers could exploit this to escalate privileges or access unauthorized data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability involves missing authorization checks which typically require minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.21

Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.21

Restart Required: Yes

Instructions:

1. Backup your WeKan data and configuration
2. Stop the WeKan service
3. Update to WeKan version 8.21 or later
4. Restart the WeKan service
5. Verify the update was successful

🔧 Temporary Workarounds

Disable Rules Handler

all

Temporarily disable the vulnerable Rules Handler component

Modify WeKan configuration to disable rules functionality

Network Access Restriction

all

Restrict network access to WeKan instance

Configure firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Disable or restrict access to the Rules Handler functionality

🔍 How to Verify

Check if Vulnerable:

Check WeKan version - if it's 8.20 or earlier, it's vulnerable

Check Version:

Check WeKan admin panel or run appropriate version check command for your deployment method

Verify Fix Applied:

Verify version is 8.21 or later and test authorization controls for rules functionality

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to rules endpoints
  • Unexpected rule modifications by unauthenticated users

Network Indicators:

  • Requests to /api/rules/ endpoints from unauthorized sources

SIEM Query:

source="wekan" AND (uri_path="/api/rules/*" OR uri_path="/server/publications/rules.js") AND user="anonymous"

📊 Metadata

CVE ID: CVE-2026-2208
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE: CWE-862
EPSS Score: 0.04% exploit probability (10.9th percentile)
Published: February 8, 2026
Last Updated: February 11, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2208, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)