CVE-2026-30846

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6	Patch
https://github.com/wekan/wekan/releases/tag/v8.34	Release Notes
https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

History

11 Mar 2026, 14:24

Type	Values Removed	Values Added
References	~~() https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6 -~~	() https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6 - Patch
References	~~() https://github.com/wekan/wekan/releases/tag/v8.34 -~~	() https://github.com/wekan/wekan/releases/tag/v8.34 - Release Notes
References	~~() https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/ -~~	() https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/ - Third Party Advisory
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CPE		cpe:2.3:a:wekan_project:wekan::::::::
First Time		Wekan Project wekan Wekan Project
Summary		(es) Wekan es una herramienta kanban de código abierto construida con Meteor. En las versiones 8.31.0 a 8.33, la publicación globalwebhooks expone todas las integraciones de webhook globales —incluyendo campos sensibles de URL y token— sin realizar ninguna comprobación de autenticación en el lado del servidor. Aunque la suscripción se invoca normalmente desde la página de configuración de administrador, la publicación del lado del servidor no tiene control de acceso, lo que significa que cualquier cliente DDP, incluidos los no autenticados, puede suscribirse y recibir los datos. Esto permite a un atacante no autenticado recuperar URLs de webhook globales y tokens de autenticación, lo que podría permitir el uso no autorizado de esos webhooks y el acceso a servicios externos conectados. Este problema ha sido solucionado en la versión 8.34.

06 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 20:16

Updated : 2026-03-11 14:24

NVD link : CVE-2026-30846

Mitre link : CVE-2026-30846

CVE.ORG link : CVE-2026-30846

JSON object : View

Products Affected

wekan_project

wekan

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-306

Missing Authentication for Critical Function

7.5 /10