Home

Description

A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component.

PUBLISHED Reserved 2026-02-04 | Published 2026-02-05 | Updated 2026-02-05 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
MEDIUM: 4.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
4.0AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C

Problem types

Missing Authorization

Incorrect Authorization

Timeline

2026-02-04:Advisory disclosed
2026-02-04:VulDB entry created
2026-02-04:VulDB entry last update

Credits

MegaManSec (VulDB User) reporter

References

vuldb.com/?id.344269 (VDB-344269 | WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization) vdb-entry

vuldb.com/?ctiid.344269 (VDB-344269 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.742671 (Submit #742671 | Wekan <8.21 Missing authorization checks leading to information disclosure a) third-party-advisory

github.com/...ommit/55576ec17722db094835470b386162c9a662fb60 patch

github.com/wekan/wekan/releases/tag/v8.21 patch

github.com/wekan/wekan/ product

cve.org (CVE-2026-1897)

nvd.nist.gov (CVE-2026-1897)

Download JSON