Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1892

CVE-2026-1892: WeKan REST API Auth Bypass Vulnerability

CVE-2026-1892 is an authentication bypass flaw in WeKan REST API affecting versions up to 8.20. Attackers can exploit improper authorization in the setBoardOrgs function. This article covers technical details, impact, and mitigation.

Published:

CVE-2026-1892 Overview

A security vulnerability has been identified in WeKan, an open-source kanban board application, affecting versions up to 8.20. This vulnerability resides in the setBoardOrgs function within the models/boards.js file of the REST API component. The flaw allows improper authorization through manipulation of the item.cardId, item.checklistId, and card.boardId parameters. While the attack can be launched remotely over the network, exploitation requires authenticated access and high attack complexity, making successful exploitation difficult.

Critical Impact

Authenticated attackers may bypass authorization controls to access or modify board, card, and checklist data belonging to other organizations within the WeKan instance.

Affected Products

  • WeKan versions up to and including 8.20
  • WeKan REST API component (models/boards.js)
  • Self-hosted WeKan deployments with exposed REST API endpoints

Discovery Timeline

  • 2026-02-04 - CVE CVE-2026-1892 published to NVD
  • 2026-02-05 - Last updated in NVD database

Technical Details for CVE-2026-1892

Vulnerability Analysis

This improper authorization vulnerability (CWE-266: Incorrect Privilege Assignment) affects the setBoardOrgs function in WeKan's REST API. The function fails to properly validate whether a user has legitimate access rights to board resources before processing requests. By manipulating the item.cardId, item.checklistId, or card.boardId parameters in API requests, an authenticated attacker could potentially access or modify data belonging to different organizations or boards than they should have access to.

The vulnerability requires authentication (low privileges) and involves high attack complexity, which limits the ease of exploitation. The impact includes potential unauthorized access to confidential board data, the ability to modify card and checklist items, and disruption of kanban board integrity.

Root Cause

The root cause is insufficient authorization checks within the setBoardOrgs function. The function processes board organization assignments without adequately verifying that the requesting user has proper permissions for the specified cardId, checklistId, and boardId values. This allows cross-organizational or cross-board access when parameter values are manipulated.

Attack Vector

The attack is conducted remotely through the WeKan REST API. An authenticated user with low-level privileges can craft malicious API requests containing manipulated resource identifiers. Due to the high complexity requirements, successful exploitation likely requires knowledge of valid target resource IDs and understanding of the API structure.

The vulnerability manifests in the authorization logic within models/boards.js. For technical details on the vulnerable code and the applied fix, refer to the GitHub Wekan Commit Details containing patch cabfeed9a68e21c469bf206d8655941444b9912c.

Detection Methods for CVE-2026-1892

Indicators of Compromise

  • Unusual REST API requests to board-related endpoints with mismatched organization or board IDs
  • API access logs showing authenticated users attempting to access resources outside their assigned organizations
  • Failed authorization attempts followed by successful access to cross-organizational resources

Detection Strategies

  • Monitor WeKan REST API logs for requests to /api/boards endpoints with abnormal parameter patterns
  • Implement correlation rules to detect users accessing board IDs that differ from their organizational assignments
  • Review audit logs for setBoardOrgs function calls with suspicious cardId, checklistId, or boardId combinations

Monitoring Recommendations

  • Enable detailed API request logging for all board and organization-related endpoints
  • Configure alerts for authorization failures followed by subsequent successful requests from the same user
  • Implement rate limiting on REST API endpoints to slow potential enumeration attacks

How to Mitigate CVE-2026-1892

Immediate Actions Required

  • Upgrade WeKan to version 8.21 or later immediately
  • Review API access logs for any suspicious activity targeting board resources
  • Audit organization and board assignments to ensure data integrity has not been compromised

Patch Information

WeKan has released version 8.21 which addresses this vulnerability. The fix is contained in commit cabfeed9a68e21c469bf206d8655941444b9912c. Organizations running affected versions should upgrade to the patched release.

Relevant resources:

Workarounds

  • Restrict REST API access to trusted networks or authenticated users with verified organizational membership
  • Implement additional API gateway authorization controls to validate resource ownership before requests reach WeKan
  • Consider temporarily disabling the REST API if not critical to operations until the patch can be applied
bash
# Configuration example - Restrict API access via reverse proxy (nginx example)
location /api/ {
    # Limit API access to internal networks only
    allow 10.0.0.0/8;
    allow 192.168.0.0/16;
    deny all;
    
    proxy_pass http://wekan:3000;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne