TROYANOSYVIRUS
Volver a CVEs

CVE-2026-30846

HIGH
7.5

Descripcion

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.

Detalles CVE

Puntuacion CVSS v3.17.5
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado3/6/2026
Ultima modificacion3/11/2026
Fuentenvd
Avistamientos honeypot0

Productos afectados

wekan_project:wekan

Debilidades (CWE)

CWE-200CWE-306CWE-306

Referencias

https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6(security-advisories@github.com)
https://github.com/wekan/wekan/releases/tag/v8.34(security-advisories@github.com)
https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/(security-advisories@github.com)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.