CVE-2026-2208 Overview
A missing authorization vulnerability has been identified in WeKan, the open-source kanban board application. The vulnerability exists in the server/publications/rules.js file within the Rules Handler component. Due to improper access control checks, authenticated users can potentially access rule data from boards they do not have permission to view, leading to unauthorized information disclosure.
Critical Impact
Authenticated attackers can remotely exploit this vulnerability to access sensitive rule configurations from unauthorized boards, potentially exposing workflow automation details and business logic.
Affected Products
- WeKan versions up to and including 8.20
- wekan_project wekan (all installations prior to v8.21)
Discovery Timeline
- February 8, 2026 - CVE-2026-2208 published to NVD
- February 11, 2026 - Last updated in NVD database
Technical Details for CVE-2026-2208
Vulnerability Analysis
This vulnerability falls under CWE-862 (Missing Authorization), which occurs when the software does not perform an authorization check when an actor attempts to access a resource or perform an action. In the case of WeKan, the rules Meteor publication endpoint in server/publications/rules.js failed to verify whether the requesting user had legitimate access to the board associated with the requested rule.
The vulnerable code path allowed any authenticated user to request rule data by providing a valid ruleId parameter, regardless of whether they had permission to view the associated board. This design flaw enables horizontal privilege escalation where users can access data belonging to other boards or organizations.
Root Cause
The root cause stems from insufficient authorization checks in the Meteor publication function for rules. The original implementation accepted a ruleId parameter and returned the corresponding rule data without validating:
- Whether the user was authenticated (this.userId check was missing)
- Whether the rule actually existed in the database
- Whether the user had permission to view the board associated with the rule
This oversight allowed authenticated users to enumerate and retrieve rule configurations from any board in the WeKan instance.
Attack Vector
The attack can be initiated remotely by any authenticated user with access to the WeKan instance. An attacker would need to:
- Authenticate to the WeKan application with valid credentials
- Identify or enumerate valid rule IDs (potentially through other information disclosure vectors)
- Subscribe to the rules publication with a target ruleId
- Receive rule data from boards they should not have access to
The vulnerability requires network access and low-privilege authentication, but no user interaction is needed for exploitation.
// Security patch in server/publications/rules.js - Security Fix 14: RulesBleed
// Source: https://github.com/wekan/wekan/commit/a787bcddf33ca28afb13ff5ea9a4cb92dceac005
import Actions from '/models/actions';
import Triggers from '/models/triggers';
import Rules from '/models/rules';
+import ReactiveCache from '/imports/reactiveCache';
-Meteor.publish('rules', ruleId => {
+Meteor.publish('rules', function(ruleId) {
check(ruleId, String);
+
+ if (!this.userId) {
+ return this.ready();
+ }
+
+ const rule = ReactiveCache.getRule(ruleId);
+ if (!rule) {
+ return this.ready();
+ }
+
+ const board = ReactiveCache.getBoard(rule.boardId);
+ if (!board || !board.isVisibleBy(this.userId)) {
+ return this.ready();
+ }
+
const ret = ReactiveCache.getRules(
{
_id: ruleId,
Source: GitHub Commit a787bcdd
Detection Methods for CVE-2026-2208
Indicators of Compromise
- Unusual subscription patterns to the rules publication endpoint from individual users
- Access logs showing repeated requests for rule IDs across multiple boards by the same user
- Anomalous Meteor DDP (Distributed Data Protocol) subscription activity targeting rules
Detection Strategies
- Monitor Meteor publication subscriptions for abnormal rules endpoint access patterns
- Implement logging on rule access to track which users are querying which rule IDs
- Review access logs for users accessing rules associated with boards they are not members of
- Deploy application-level monitoring to detect enumeration attempts against rule IDs
Monitoring Recommendations
- Enable verbose logging for Meteor publication endpoints in WeKan
- Set up alerts for high-frequency rule subscription requests from single users
- Implement audit trails for all rule data access within the application
- Monitor for unauthorized cross-board data access patterns
How to Mitigate CVE-2026-2208
Immediate Actions Required
- Upgrade WeKan to version 8.21 or later immediately
- Review access logs for any suspicious rule access patterns prior to patching
- Audit rule configurations for any sensitive data that may have been exposed
- Consider resetting or reviewing automation rules if unauthorized access is suspected
Patch Information
The vulnerability has been addressed in WeKan version 8.21. The fix implements proper authorization checks including:
- User authentication verification (this.userId check)
- Rule existence validation before processing
- Board visibility verification using board.isVisibleBy(this.userId)
The security patch is identified by commit hash a787bcddf33ca28afb13ff5ea9a4cb92dceac005. Organizations should upgrade to WeKan v8.21 to remediate this vulnerability.
Workarounds
- Restrict network access to the WeKan instance to trusted networks only until patching is complete
- Implement additional authentication layers (reverse proxy authentication) to limit access
- Review and audit user accounts to ensure only authorized personnel have access
- Consider temporarily disabling the rules feature if not critical to operations
# Configuration example - Upgrade WeKan to patched version
# Pull the latest WeKan Docker image with the fix
docker pull wekanteam/wekan:v8.21
# Or if using snap installation
sudo snap refresh wekan --channel=latest/stable
# Verify the installation version
wekan --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
