CVE-2026-30846 Overview
CVE-2026-30846 is a high severity information disclosure vulnerability in Wekan, an open source kanban tool built with Meteor. The flaw resides in the globalwebhooks publication, which exposes every global webhook integration—including url and token fields—without performing server-side authentication. Any Distributed Data Protocol (DDP) client, including unauthenticated ones, can subscribe to the publication and retrieve sensitive webhook data. Versions 8.31.0 through 8.33 are affected, and the issue is fixed in version 8.34. The vulnerability maps to [CWE-200] Exposure of Sensitive Information and [CWE-306] Missing Authentication for Critical Function.
Critical Impact
Unauthenticated remote attackers can harvest webhook URLs and authentication tokens, enabling unauthorized invocation of webhooks and access to connected external services.
Affected Products
- Wekan 8.31.0
- Wekan 8.32
- Wekan 8.33
Discovery Timeline
- 2026-03-06 - CVE-2026-30846 published to the National Vulnerability Database (NVD)
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30846
Vulnerability Analysis
Wekan uses Meteor's DDP for real-time data synchronization between client and server. Meteor publications define which collections and fields the server sends to subscribing clients. The globalwebhooks publication in server/publications/settings.js returned every integration document stored under the global webhook board identifier, including the token field used to authenticate outbound webhook requests.
The publication function lacked any server-side check on this.userId or administrative role. Although the Wekan admin settings page is the only legitimate consumer of this publication, the server enforces no access control. A DDP client can connect directly to the Wekan server and issue a sub message for globalwebhooks without ever logging in.
The response contains the full integration documents, including remote webhook URLs and bearer tokens. An attacker can then replay those tokens to invoke the connected external services—chat platforms, CI systems, or monitoring tools—on behalf of the Wekan deployment.
Root Cause
The root cause is missing authentication on a Meteor publication that returns sensitive fields. The original handler was defined as Meteor.publish('globalwebhooks', async () => { ... }) with no reference to this.userId and no field projection to strip the token value before transmission.
Attack Vector
Exploitation requires only network access to the Wekan DDP endpoint. The attacker opens a WebSocket connection, completes the DDP handshake, and subscribes to globalwebhooks. The server streams matching documents in added messages. No credentials, user interaction, or prior authorization are required.
import { ReactiveCache } from '/imports/reactiveCache';
-Meteor.publish('globalwebhooks', async () => {
+Meteor.publish('globalwebhooks', async function() {
+ if (!this.userId) {
+ return this.ready();
+ }
+
+ const user = await ReactiveCache.getCurrentUser();
+ if (!user || !user.isAdmin) {
+ return this.ready();
+ }
+
const boardId = Integrations.Const.GLOBAL_WEBHOOK_ID;
const ret = await ReactiveCache.getIntegrations(
{
boardId,
},
- {},
+ {
+ fields: {
+ token: 0,
+ },
+ },
true,
);
return ret;
Source: Wekan commit 1ee9b2e. The patch adds two guards—this.userId presence and user.isAdmin—and projects the token field out of the result set as defense in depth.
Detection Methods for CVE-2026-30846
Indicators of Compromise
- Unauthenticated DDP sub messages targeting the globalwebhooks subscription name in Wekan WebSocket traffic.
- Outbound webhook invocations from third-party services originating from unexpected source IP addresses using valid Wekan-issued tokens.
- New WebSocket sessions to /websocket on the Wekan server that subscribe to publications without first issuing a login method call.
Detection Strategies
- Inspect reverse proxy or application logs for WebSocket upgrades to the Wekan DDP endpoint followed by subscription requests that lack a preceding authenticated session.
- Audit downstream services consumed by Wekan webhooks for token usage patterns that do not align with normal Wekan automation timing or payload shape.
- Run an internal DDP client against the deployment and attempt an unauthenticated subscription to globalwebhooks; a non-empty response confirms exposure on versions 8.31.0 through 8.33.
Monitoring Recommendations
- Forward Wekan application and reverse proxy logs to a centralized analytics platform and alert on anonymous DDP subscription activity.
- Track external webhook receiver logs for invocations that do not correlate with Wekan board events.
- Monitor the installed Wekan version across hosts and alert when a release below 8.34 is detected.
How to Mitigate CVE-2026-30846
Immediate Actions Required
- Upgrade Wekan to version 8.34 or later, which adds the authentication and admin role checks on the globalwebhooks publication.
- Rotate every global webhook token configured in Wekan after upgrading; assume any token present on a vulnerable version is compromised.
- Review external services that accept Wekan webhooks and revoke or rotate any shared secrets exposed through those integrations.
Patch Information
The fix is delivered in Wekan release v8.34 and is implemented by commit 1ee9b2e. Additional context is available in the GitHub Security Lab advisory GHSL-2026-037.
Workarounds
- Restrict network access to the Wekan DDP endpoint to trusted administrative networks until the upgrade is applied.
- Remove global webhook integrations from the Wekan database temporarily if upgrade is not immediately feasible, eliminating the data the publication can leak.
- Place Wekan behind an authenticating reverse proxy that blocks unauthenticated WebSocket upgrades to /websocket.
# Verify installed Wekan version and upgrade via Snap (example)
snap info wekan | grep installed
sudo snap refresh wekan --channel=latest/stable
# Confirm version is >= 8.34 after upgrade
curl -s https://wekan.example.com/api/info
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
