Listen to this Post
The vulnerability, identified as CVE-2026-1963, is an improper access control flaw found in WeKan versions up to 8.20. It resides in an unknown function within the `models/attachments.js` file, which is part of the Attachment Storage component. The core issue is that the software fails to properly verify a user’s permissions when handling attachment-related operations. This allows a remote attacker with low privileges to manipulate or access attachments without requiring any user interaction. The attack complexity is low, meaning it does not require specialized conditions to exploit. Successful exploitation could lead to a low impact on the confidentiality, integrity, and availability of the data, as an attacker could potentially view, modify, or delete attachments they should not have access to. The vulnerability was patched in commit `c413a7e` and fixed in version 8.21. It is classified under CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control) .
dailycve form:
Platform: WeKan
Version: up to 8.20
Vulnerability : Improper Access Controls
Severity: Medium
date: 05/02/2026
Prediction: Patch already available
What Undercode Say:
Analytics:
The vulnerability is present in the file models/attachments.js. To locate this file in your local instance, you can use the following command:
find /path/to/wekan -name "attachments.js" -type f
To check the current version of your WeKan installation, you can often find it in the package details or use:
If installed via Git cd /path/to/wekan git describe --tags Or check the version displayed in the WeKan web interface's admin panel.
How Exploit:
An attacker could exploit this by sending specially crafted API requests to the WeKan server that target attachment functions. Since the access controls are improper, the server might not correctly validate if the low-privileged user should have access to the targeted attachment. The following is a hypothetical `curl` command demonstrating how an attacker might attempt to enumerate or access an attachment by guessing or knowing its ID:
Hypothetical example: Attempt to download an attachment without proper permissions curl -X GET "http://target-wekan-instance.com/api/attachments/[bash]" \ -H "Authorization: Bearer [bash]"
The vulnerability allows the manipulation of the attachment storage, meaning an attacker could potentially overwrite existing attachments or upload new ones in contexts reserved for other users by sending POST or PUT requests to the relevant endpoints.
Protection from this CVE:
The primary and immediate protection is to upgrade WeKan to version 8.21 or later. The specific patch can be applied manually if an upgrade is not immediately possible. To apply the patch manually, you can use `git cherry-pick` if you have a Git repository:
cd /path/to/wekan git fetch origin git cherry-pick c413a7e860bc4d93fe2adcf82516228570bf382d
Or, you can manually edit the `models/attachments.js` file to mirror the changes made in that commit. Always ensure you have proper backups before making manual changes. As a temporary workaround, restricting network access to the WeKan server and monitoring logs for unusual attachment activity can help mitigate the risk.
Impact:
Successful exploitation allows an authenticated low-privilege remote attacker to bypass access controls. This can lead to unauthorized access to potentially sensitive data stored in attachments (confidentiality impact), unauthorized modification or corruption of those attachments (integrity impact), and potential disruption of service if critical attachments are deleted or made unavailable (availability impact). While each impact is rated low, the combination can undermine the trust and reliability of the WeKan board as a collaborative tool .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

