Primary

Context

WeKan Information Disclosure Vulnerability in Meteor Publication Handler

Vulnerability

Patched

A vulnerability allowing information disclosure has been identified in WeKan versions prior to 8.20. The issue arises in the Meteor Publication Handler, specifically within the 'server/publications/cards.js' file. The vulnerability occurs because the publication for individual cards does not properly verify whether the requesting user can view the associated board before sending card data. This flaw can be exploited remotely, exposing sensitive information to unauthorized users.

Impact

Exploitation of this vulnerability allows unauthorized users to access sensitive information that should be restricted.

Reproduction

To reproduce this vulnerability, request card data through the Meteor publication without the necessary authorization to view the related board. The publication will return the card data, bypassing visibility checks.

Remediation

Upgrade to WeKan version 8.21, which includes the necessary fix. The updated version is available on the WeKan GitHub Releases page.

Added: Feb 8, 2026, 2:20 AM

Updated: Feb 8, 2026, 2:20 AM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

9.1

remediation

7.7

relevance

2.9

threat

4.8

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

9.1

remediation

7.7

relevance

2.9

threat

4.8

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WeKan Information Disclosure Vulnerability in Meteor Publication Handler

Vulnerability

Impact

Reproduction

Remediation

Affected Products

WeKan

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating