CVE-2026-30846

UNKNOWN 0.0

Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.

CWE	CWE-306 CWE-200
Vendor	wekan
Product	wekan
Published	Mar 6, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for wekan wekan

Be the first to know when new unknown vulnerabilities affecting wekan wekan are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Wekan / Wekan

>= 8.31.0, < 8.34

References

NVD ↗ CVE.org ↗ EPSS Data ↗

securitylab.github.com: https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/ github.com: https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6 github.com: https://github.com/wekan/wekan/releases/tag/v8.34