CVE-2026-30847 Overview
CVE-2026-30847 is a critical information exposure vulnerability in Wekan, an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication exposes complete user documents without field filtering, causing ReactiveCache.getUsers() to return highly sensitive data including bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and stored OAuth tokens.
Unlike Meteor's default auto-publication which strips the services field for security, custom publications return whatever fields the cursor contains. This means all subscribers receive complete user documents with no filtering applied. Any authenticated user who triggers this publication can harvest credentials and active session tokens for other users, enabling password cracking, session hijacking, and full account takeover.
Critical Impact
Authenticated users can extract bcrypt password hashes, active session tokens, and OAuth credentials for all users, enabling credential theft, session hijacking, and complete account takeover across the entire Wekan instance.
Affected Products
- Wekan versions 8.31.0 through 8.33
- wekan_project wekan
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-30847 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-30847
Vulnerability Analysis
This vulnerability falls under CWE-200 (Information Exposure), where sensitive information is unintentionally disclosed to unauthorized actors. The root issue lies in how Meteor handles data publications compared to its default auto-publish behavior.
Meteor's auto-publication feature automatically strips sensitive fields like the services object from user documents before sending them to clients. However, when developers create custom publications, this security behavior is not automatically inherited. The notificationUsers publication in Wekan was implemented without explicit field filtering, causing the full user document—including all sensitive authentication data—to be transmitted to any authenticated subscriber.
The exposed data includes:
- Bcrypt password hashes - Can be subjected to offline cracking attacks
- Active session login tokens - Enable immediate session hijacking
- Email verification tokens - Allow account verification bypass
- OAuth tokens - Provide access to connected third-party services
- Full email addresses - Facilitate targeted phishing attacks
Root Cause
The vulnerability stems from a missing field projection in the Meteor publication cursor. When the notificationUsers publication was created, developers passed an empty options object {} instead of specifying which fields should be returned to clients. In Meteor, if no fields projection is specified, the entire document is published to subscribers.
This is a common security pitfall in Meteor applications where developers assume custom publications inherit the same security filtering as the built-in Meteor.users auto-publication, when in fact they do not.
Attack Vector
The attack requires network access and low-privilege authentication. An attacker with any valid Wekan account can subscribe to the notificationUsers publication through the Meteor DDP protocol. Once subscribed, the attacker receives complete user documents for all users in the notification context, including all sensitive authentication fields.
The following patch demonstrates the fix applied in version 8.34:
.filter(v => !!v),
},
},
- {},
+ {
+ fields: {
+ username: 1,
+ 'profile.fullname': 1,
+ 'profile.avatarUrl': 1,
+ 'profile.initials': 1,
+ },
+ },
true,
);
return ret;
Source: GitHub Wekan Commit
The fix replaces the empty options object with an explicit fields projection that only returns the necessary non-sensitive fields: username, profile.fullname, profile.avatarUrl, and profile.initials.
Detection Methods for CVE-2026-30847
Indicators of Compromise
- Unusual DDP subscription requests to the notificationUsers publication from unexpected client sessions
- Multiple rapid subscription/unsubscription cycles from the same authenticated user
- Database query logs showing full user document retrievals without field projections
- Anomalous session token usage patterns indicating potential session hijacking
Detection Strategies
- Monitor Meteor DDP websocket traffic for subscription requests to notificationUsers publication
- Implement logging on sensitive field access patterns in user document queries
- Review application logs for unusual authentication patterns following potential data exposure
- Audit bcrypt password hash access in database query logs
Monitoring Recommendations
- Enable detailed Meteor publication logging to track subscription patterns
- Monitor for password reset requests or suspicious login attempts that could indicate credential stuffing using exposed hashes
- Track OAuth token revocation and reissuance patterns
- Implement anomaly detection on session token usage to identify potential hijacking
How to Mitigate CVE-2026-30847
Immediate Actions Required
- Upgrade Wekan to version 8.34 or later immediately
- Force logout all active user sessions after applying the patch to invalidate potentially compromised tokens
- Require all users to reset their passwords as a precautionary measure
- Rotate any OAuth tokens that may have been exposed
- Review access logs for signs of credential harvesting
Patch Information
The vulnerability has been fixed in Wekan version 8.34. The patch commit 1c8667eae8b28739e43569b612ffdb2693c6b1ce adds explicit field projections to the notificationUsers publication, ensuring only necessary non-sensitive fields (username, profile.fullname, profile.avatarUrl, profile.initials) are returned to subscribers.
For detailed information, see the GitHub Security Advisory GHSL-2026-035 and the Wekan v8.34 release.
Workarounds
- If immediate upgrade is not possible, disable or restrict access to the Wekan instance until patching can be completed
- Implement network-level access controls to limit authenticated users to trusted personnel only
- Consider temporarily disabling the notification system if the application architecture allows
- Monitor for suspicious subscription activity and terminate sessions that exhibit potential harvesting behavior
# Upgrade Wekan to patched version
docker pull wekan/wekan:v8.34
docker-compose down
docker-compose up -d
# Force invalidate all existing sessions after upgrade
# Connect to MongoDB and clear login tokens
mongo wekan --eval 'db.users.updateMany({}, {$unset: {"services.resume.loginTokens": ""}})'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
