Home

Description

A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded.

PUBLISHED Reserved 2026-02-08 | Published 2026-02-08 | Updated 2026-02-23 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
MEDIUM: 4.3CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:O/RC:C
4.0AV:N/AC:L/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C

Problem types

Missing Authorization

Incorrect Authorization

Timeline

2026-02-08:Advisory disclosed
2026-02-08:VulDB entry created
2026-02-12:VulDB entry last update

Credits

MegaManSec (VulDB User) reporter

References

vuldb.com/?id.344922 (VDB-344922 | WeKan Rules rules.js RulesBleed authorization) vdb-entry technical-description

vuldb.com/?ctiid.344922 (VDB-344922 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/?submit.752164 (Submit #752164 | Wekan <8.21 Information disclosure / missing authorization on admin publicat) third-party-advisory

github.com/...ommit/a787bcddf33ca28afb13ff5ea9a4cb92dceac005 patch

github.com/wekan/wekan/releases/tag/v8.21 patch

github.com/wekan/wekan/ product

cve.org (CVE-2026-2208)

nvd.nist.gov (CVE-2026-2208)

Download JSON