A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. The patch is named 251d49eea94834cf351bb395808f4a56fb4dbb44. Upgrading the affected component is recommended.
References
| Link | Resource |
|---|---|
| https://github.com/wekan/wekan/ | Product |
| https://github.com/wekan/wekan/commit/251d49eea94834cf351bb395808f4a56fb4dbb44 | Patch |
| https://github.com/wekan/wekan/releases/tag/v8.21 | Product Release Notes |
| https://vuldb.com/?ctiid.344266 | Permissions Required VDB Entry |
| https://vuldb.com/?id.344266 | Third Party Advisory VDB Entry |
| https://vuldb.com/?submit.742663 | Third Party Advisory VDB Entry |
Configurations
History
11 Feb 2026, 19:08
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/wekan/wekan/ - Product | |
| References | () https://github.com/wekan/wekan/commit/251d49eea94834cf351bb395808f4a56fb4dbb44 - Patch | |
| References | () https://github.com/wekan/wekan/releases/tag/v8.21 - Product, Release Notes | |
| References | () https://vuldb.com/?ctiid.344266 - Permissions Required, VDB Entry | |
| References | () https://vuldb.com/?id.344266 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/?submit.742663 - Third Party Advisory, VDB Entry | |
| First Time |
Wekan Project wekan
Wekan Project |
|
| CPE | cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:* |
04 Feb 2026, 23:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-02-04 23:15
Updated : 2026-02-11 19:08
NVD link : CVE-2026-1894
Mitre link : CVE-2026-1894
CVE.ORG link : CVE-2026-1894
JSON object : View
Products Affected
wekan_project
- wekan