CVE-2026-2209 – This vulnerability in WeKan allows remote attac... (How to Fix)

Q: What is the severity of CVE-2026-2209?

CVE-2026-2209 has a CVSS score of 6.3 (MEDIUM). This vulnerability in WeKan allows remote attackers to bypass authorization controls in the custom translation handler. Attackers can manipulate translation settings without proper permissions. All WeKan instances up to version 8.18 are affected.

📋 TL;DR

This vulnerability in WeKan allows remote attackers to bypass authorization controls in the custom translation handler. Attackers can manipulate translation settings without proper permissions. All WeKan instances up to version 8.18 are affected.

💻 Affected Systems

Products:

WeKan

Versions: up to 8.18

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users could modify system translations, potentially altering interface text to mislead users or hide malicious activities.

🟠

Likely Case

Attackers could modify translation settings to disrupt user experience or create confusion within the application.

🟢

If Mitigated

With proper network segmentation and access controls, impact would be limited to the WeKan application only.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires some level of access to the WeKan interface but bypasses authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.19

Vendor Advisory: https://github.com/wekan/wekan/releases/tag/v8.19

Restart Required: Yes

Instructions:

1. Backup your WeKan data and configuration. 2. Stop the WeKan service. 3. Update to version 8.19 using your package manager or by downloading from GitHub releases. 4. Restart the WeKan service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable Custom Translations

all

Temporarily disable the custom translation feature to prevent exploitation

Modify WeKan configuration to disable translation settings access

🧯 If You Can't Patch

Implement strict network access controls to limit WeKan exposure
Monitor for unauthorized translation setting changes in application logs

🔍 How to Verify

Check if Vulnerable:

Check WeKan version via admin interface or by examining package version

Check Version:

Check WeKan admin panel or run: dpkg -l | grep wekan (on Debian/Ubuntu)

Verify Fix Applied:

Verify version is 8.19 or higher and test translation functionality with limited user accounts

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to translation settings
Unexpected translation modifications

Network Indicators:

Unusual API calls to translation endpoints from unauthorized sources

SIEM Query:

source="wekan" AND (event="translation_modify" OR endpoint="/api/translation") AND user.role!="admin"

📊 Metadata

CVE ID: CVE-2026-2209

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-266

EPSS Score: 0.04% exploit probability (10.5th percentile)

Published: February 8, 2026

Last Updated: February 11, 2026

🔗 References

https://github.com/wekan/wekan/ Product
https://github.com/wekan/wekan/commit/f244a43771f6ebf40218b83b9f46dba6b940d7de Patch
https://github.com/wekan/wekan/releases/tag/v8.19 Product,Release Notes
https://vuldb.com/?ctiid.344923 Permissions Required,VDB Entry
https://vuldb.com/?id.344923 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.752269 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2209, you might also want to check these: