Plattform
nodejs
Komponente
wekan
Behoben in
8.31.1
CVE-2026-30846 is an information disclosure vulnerability affecting Wekan, an open-source kanban tool. This flaw allows unauthenticated attackers to retrieve sensitive webhook integration data, including URLs and authentication tokens. The vulnerability impacts Wekan versions 8.31.0 through 8.33 and has been resolved in version 8.34.
The primary impact of CVE-2026-30846 is the exposure of sensitive webhook integration data. Attackers can exploit this vulnerability to gain unauthorized access to systems and services integrated with Wekan webhooks. This could lead to data breaches, unauthorized actions, and potential compromise of connected applications. The lack of authentication checks on the server-side publication makes this vulnerability particularly concerning, as any DDP client can subscribe and retrieve the data. This is similar to other DDP-related vulnerabilities where improper access controls lead to data leakage.
CVE-2026-30846 was publicly disclosed on 2026-03-06. No public proof-of-concept (PoC) code has been released as of this writing. The EPSS score is currently pending evaluation. It is not currently listed on the CISA KEV catalog.
Organizations using Wekan for project management and task tracking, particularly those relying on webhooks for integration with other systems, are at risk. This includes teams using Wekan in shared hosting environments or with legacy configurations that may not have robust network security controls.
• nodejs / server:
# Check for Wekan version
npm list -g wekan• nodejs / server:
# Monitor DDP traffic for unauthorized subscriptions to globalwebhooks
# (Requires DDP monitoring tools)• generic web:
# Check Wekan instance for exposed DDP endpoints
curl -I http://your-wekan-instance/api/v1/public/globalwebhooksdisclosure
Exploit-Status
EPSS
0.15% (35% Perzentil)
CISA SSVC
The primary mitigation for CVE-2026-30846 is to upgrade Wekan to version 8.34 or later, which includes the necessary access control fixes. If upgrading immediately is not possible, consider implementing temporary workarounds such as restricting network access to the Wekan instance and monitoring webhook activity for suspicious behavior. While a WAF or proxy cannot directly prevent the vulnerability, it can help detect and block malicious requests attempting to exploit it. After upgrading, confirm the fix by attempting to subscribe to the globalwebhooks publication with an unauthenticated DDP client and verifying that access is denied.
Aktualisieren Sie Wekan auf Version 8.34 oder höher. Diese Version behebt die Schwachstelle, die globale Webhook-Integrationen ohne Authentifizierung offenlegt. Das Update verhindert unautorisierten Zugriff auf Webhook-URLs und -Token.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-30846 is an information disclosure vulnerability in Wekan versions 8.31.0 through 8.33, allowing unauthenticated access to webhook URLs and tokens.
You are affected if you are running Wekan versions 8.31.0 through 8.33. Upgrade to version 8.34 to mitigate the risk.
Upgrade Wekan to version 8.34 or later. If immediate upgrade is not possible, restrict network access and monitor webhook activity.
There is no confirmed active exploitation of CVE-2026-30846 as of the last update, but the vulnerability's ease of exploitation warrants caution.
Refer to the Wekan project's official website and GitHub repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.