← Back
2026-02-05 20:32CVE-2026-1962VulDB
PUBLISHED5.2CWE-284CWE-266x_open-source

WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control

A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component.

Problem type

Affected products

WeKan

8.0 - AFFECTED

8.1 - AFFECTED

8.2 - AFFECTED

8.3 - AFFECTED

8.4 - AFFECTED

8.5 - AFFECTED

8.6 - AFFECTED

8.7 - AFFECTED

8.8 - AFFECTED

8.9 - AFFECTED

8.10 - AFFECTED

8.11 - AFFECTED

8.12 - AFFECTED

8.13 - AFFECTED

8.14 - AFFECTED

8.15 - AFFECTED

8.16 - AFFECTED

8.17 - AFFECTED

8.18 - AFFECTED

8.19 - AFFECTED

8.20 - AFFECTED

8.21 - UNAFFECTED

References

VDB-344484 | WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control

https://vuldb.com/?id.344484

vdb-entry
VDB-344484 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/?ctiid.344484

signaturepermissions-required
Submit #742677 | Wekan <8.21 Improper access control on migration endpoints (CWE-284)

https://vuldb.com/?submit.742677

third-party-advisory
github.com

https://github.com/wekan/wekan/commit/053bf1dfb76ef230db162c64a6ed50ebedf67eee

patch
github.com

https://github.com/wekan/wekan/releases/tag/v8.21

patch
github.com

https://github.com/wekan/wekan/

product

GitHub Security Advisories

GHSA-w6f3-6jw4-9h89

A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function...

https://github.com/advisories/GHSA-w6f3-6jw4-9h89

A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-1962

github.com

https://github.com/wekan/wekan/commit/053bf1dfb76ef230db162c64a6ed50ebedf67eee

github.com

https://github.com/wekan/wekan

github.com

https://github.com/wekan/wekan/releases/tag/v8.21

vuldb.com

https://vuldb.com/?ctiid.344484

vuldb.com

https://vuldb.com/?id.344484

vuldb.com

https://vuldb.com/?submit.742677

github.com

https://github.com/advisories/GHSA-w6f3-6jw4-9h89

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-1962
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-1962",
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "dateUpdated": "2026-02-05T20:57:22.291Z",
    "dateReserved": "2026-02-05T10:51:22.769Z",
    "datePublished": "2026-02-05T20:32:08.752Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB",
        "dateUpdated": "2026-02-05T20:32:08.752Z"
      },
      "title": "WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control",
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component."
        }
      ],
      "affected": [
        {
          "vendor": "n/a",
          "product": "WeKan",
          "modules": [
            "Attachment Migration"
          ],
          "versions": [
            {
              "version": "8.0",
              "status": "affected"
            },
            {
              "version": "8.1",
              "status": "affected"
            },
            {
              "version": "8.2",
              "status": "affected"
            },
            {
              "version": "8.3",
              "status": "affected"
            },
            {
              "version": "8.4",
              "status": "affected"
            },
            {
              "version": "8.5",
              "status": "affected"
            },
            {
              "version": "8.6",
              "status": "affected"
            },
            {
              "version": "8.7",
              "status": "affected"
            },
            {
              "version": "8.8",
              "status": "affected"
            },
            {
              "version": "8.9",
              "status": "affected"
            },
            {
              "version": "8.10",
              "status": "affected"
            },
            {
              "version": "8.11",
              "status": "affected"
            },
            {
              "version": "8.12",
              "status": "affected"
            },
            {
              "version": "8.13",
              "status": "affected"
            },
            {
              "version": "8.14",
              "status": "affected"
            },
            {
              "version": "8.15",
              "status": "affected"
            },
            {
              "version": "8.16",
              "status": "affected"
            },
            {
              "version": "8.17",
              "status": "affected"
            },
            {
              "version": "8.18",
              "status": "affected"
            },
            {
              "version": "8.19",
              "status": "affected"
            },
            {
              "version": "8.20",
              "status": "affected"
            },
            {
              "version": "8.21",
              "status": "unaffected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Access Controls",
              "cweId": "CWE-284",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Incorrect Privilege Assignment",
              "cweId": "CWE-266",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://vuldb.com/?id.344484",
          "name": "VDB-344484 | WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control",
          "tags": [
            "vdb-entry"
          ]
        },
        {
          "url": "https://vuldb.com/?ctiid.344484",
          "name": "VDB-344484 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ]
        },
        {
          "url": "https://vuldb.com/?submit.742677",
          "name": "Submit #742677 | Wekan <8.21 Improper access control on migration endpoints (CWE-284)",
          "tags": [
            "third-party-advisory"
          ]
        },
        {
          "url": "https://github.com/wekan/wekan/commit/053bf1dfb76ef230db162c64a6ed50ebedf67eee",
          "tags": [
            "patch"
          ]
        },
        {
          "url": "https://github.com/wekan/wekan/releases/tag/v8.21",
          "tags": [
            "patch"
          ]
        },
        {
          "url": "https://github.com/wekan/wekan/",
          "tags": [
            "product"
          ]
        }
      ],
      "metrics": [
        {},
        {
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV3_0": {
            "version": "3.0",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM"
          }
        },
        {
          "cvssV2_0": {
            "version": "2.0",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C",
            "baseScore": 6.5
          }
        }
      ],
      "timeline": [
        {
          "time": "2026-02-05T00:00:00.000Z",
          "lang": "en",
          "value": "Advisory disclosed"
        },
        {
          "time": "2026-02-05T01:00:00.000Z",
          "lang": "en",
          "value": "VulDB entry created"
        },
        {
          "time": "2026-02-05T11:57:02.000Z",
          "lang": "en",
          "value": "VulDB entry last update"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "MegaManSec (VulDB User)",
          "type": "reporter"
        }
      ],
      "tags": [
        "x_open-source"
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-02-05T20:57:22.291Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}