CVE-2026-1964

MEDIUM

Wekan < 8.21 - Improper Access Control in REST Endpoint

Title source: llm

Description

A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. Patch name: 545566f5663545d16174e0f2399f231aa693ab6e. It is advisable to upgrade the affected component.

References (6)

Core 6

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.344486

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.344486

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.742680

Patch patch

https://github.com/wekan/wekan/commit/545566f5663545d16174e0f2399f231aa693ab6e

View Patch ZIP pw:eip

Product, Release Notes patch

https://github.com/wekan/wekan/releases/tag/v8.21

Product product

https://github.com/wekan/wekan/

Scores

CVSS v3 4.3

EPSS 0.0022

EPSS Percentile 12.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-266 CWE-284

Status published

Products (1)

wekan_project/wekan < 8.21

Published Feb 05, 2026

Tracked Since Feb 18, 2026