Home

Description

A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to mitigate this issue. Patch name: 146905a459106b5d00b4f09453a6554255e6965a. You should upgrade the affected component.

PUBLISHED Reserved 2026-02-04 | Published 2026-02-05 | Updated 2026-02-05 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C

Problem types

Improper Access Controls

Incorrect Privilege Assignment

Timeline

2026-02-04:Advisory disclosed
2026-02-04:VulDB entry created
2026-02-04:VulDB entry last update

Credits

MegaManSec (VulDB User) reporter

References

vuldb.com/?id.344270 (VDB-344270 | WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control) vdb-entry

vuldb.com/?ctiid.344270 (VDB-344270 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.742676 (Submit #742676 | Wekan <8.21 Missing authorization on admin function (CWE-284)) third-party-advisory

github.com/...ommit/146905a459106b5d00b4f09453a6554255e6965a patch

github.com/wekan/wekan/releases/tag/v8.21 patch

github.com/wekan/wekan/ product

cve.org (CVE-2026-1898)

nvd.nist.gov (CVE-2026-1898)

Download JSON