Cyber Resilience

CVE-2026-2206

Medium

Published: 08 February 2026

Published
08 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2206 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Wekan Project Wekan. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2206 is a vulnerability involving improper access controls in the Administrative Repair Handler component of WeKan, specifically affecting unknown code in the file server/methods/fixDuplicateLists.js. It impacts WeKan versions up to 8.20 and was published on 2026-02-08. The issue is associated with CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

An attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows improper access controls, resulting in limited impacts to confidentiality, integrity, and availability.

Mitigation requires upgrading to WeKan version 8.21, which resolves the issue via patch commit 4ce181d17249778094f73d21515f7f863f554743. Details are available in the WeKan GitHub repository, release notes for v8.21, and VulDB entries.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the…

more

attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Improper access control (CWE-284/266) in admin repair handler allows low-priv authenticated user to perform unauthorized actions, directly enabling exploitation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1963Same product: Wekan Project Wekan
CVE-2026-1962Same product: Wekan Project Wekan
CVE-2026-25859Same product: Wekan Project Wekan
CVE-2026-30845Same product: Wekan Project Wekan
CVE-2026-25560Same product: Wekan Project Wekan
CVE-2026-30846Same product: Wekan Project Wekan
CVE-2026-25564Same product: Wekan Project Wekan
CVE-2026-25561Same product: Wekan Project Wekan
CVE-2026-25563Same product: Wekan Project Wekan
CVE-2026-30844Same product: Wekan Project Wekan

Affected Assets

wekan project
wekan
≤ 8.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved access policies on the Administrative Repair Handler so that low-privilege users cannot invoke fixDuplicateLists.js functions.

prevent

Limits privileges assigned to accounts, preventing the incorrect privilege assignment (CWE-266) that enables the improper access.

prevent

Requires prompt installation of the vendor patch (v8.21 / commit 4ce181d) that removes the access-control flaw from the affected code path.

References