CVE-2026-1963

MEDIUM

WeKan < 8.21 - Improper Access Control in Attachment Storage

Title source: llm

Description

A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates this issue. The patch is identified as c413a7e860bc4d93fe2adcf82516228570bf382d. Upgrading the affected component is advised.

References (6)

Core 6

Core References

Permissions Required, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.344485

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.344485

Permissions Required, VDB Entry third-party-advisory

https://vuldb.com/?submit.742678

Patch patch

https://github.com/wekan/wekan/commit/c413a7e860bc4d93fe2adcf82516228570bf382d

View Patch ZIP pw:eip

Various Sources product

https://github.com/wekan/wekan/

Release Notes patch

https://github.com/wekan/wekan/releases/tag/v8.21

Scores

CVSS v3 6.3

EPSS 0.0032

EPSS Percentile 23.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-266 CWE-284

Status published

Products (1)

wekan_project/wekan < 8.21

Published Feb 05, 2026

Tracked Since Feb 18, 2026