CVE-2026-30845

Name of the Vulnerable Software and Affected Versions Wekan versions 8.31.0 through 8.33

Description Wekan is an open source kanban tool. In affected versions, the board composite publication publishes all integration data for a board without field filtering, exposing sensitive information like webhook URLs and authentication tokens to any subscriber. Board publications are accessible to all board members, regardless of their role, and even to unauthenticated DDP clients for public boards. This allows any user with board access to retrieve webhook credentials. This token leak enables attackers to make unauthenticated requests to exposed webhooks, potentially triggering unauthorized actions in connected external services. The issue involves the publication of sensitive data without proper access controls.

Recommendations Upgrade to version 8.34 or later to address this issue.