CVE-2026-30847

Name of the Vulnerable Software and Affected Versions Wekan versions 8.31.0 through 8.33

Description Wekan is an open source kanban tool built with Meteor. The notificationUsers publication in Wekan publishes user documents without filtering fields. This causes the ReactiveCache.getUsers() call to return all fields, including sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and stored OAuth tokens. Custom publications return all cursor fields, meaning all subscribers receive complete user documents. Any authenticated user triggering this publication can collect credentials and session tokens for other users, potentially enabling password cracking, session hijacking, and account takeover.

Recommendations Update to version 8.34 or later.