Home

Description

A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates this issue. The patch is identified as c413a7e860bc4d93fe2adcf82516228570bf382d. Upgrading the affected component is advised.

PUBLISHED Reserved 2026-02-05 | Published 2026-02-05 | Updated 2026-02-23 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
MEDIUM: 6.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
MEDIUM: 6.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
6.5AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C

Problem types

Improper Access Controls

Incorrect Privilege Assignment

Timeline

2026-02-05:Advisory disclosed
2026-02-05:VulDB entry created
2026-02-06:VulDB entry last update

Credits

MegaManSec (VulDB User) reporter

References

vuldb.com/?id.344485 (VDB-344485 | WeKan Attachment Storage attachments.js MoveStorageBleed access control) vdb-entry technical-description

vuldb.com/?ctiid.344485 (VDB-344485 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/?submit.742678 (Submit #742678 | Wekan <8.21 Improper access control (CWE-284)) third-party-advisory

github.com/...ommit/c413a7e860bc4d93fe2adcf82516228570bf382d patch

github.com/wekan/wekan/releases/tag/v8.21 patch

github.com/wekan/wekan/ product

cve.org (CVE-2026-1963)

nvd.nist.gov (CVE-2026-1963)

Download JSON