CVE-2026-2206
Published: 08 February 2026
Summary
CVE-2026-2206 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Wekan Project Wekan. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-2206 is a vulnerability involving improper access controls in the Administrative Repair Handler component of WeKan, specifically affecting unknown code in the file server/methods/fixDuplicateLists.js. It impacts WeKan versions up to 8.20 and was published on 2026-02-08. The issue is associated with CWE-266 (Incorrect Privilege Assignment) and CWE-284 (Improper Access Control), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows improper access controls, resulting in limited impacts to confidentiality, integrity, and availability.
Mitigation requires upgrading to WeKan version 8.21, which resolves the issue via patch commit 4ce181d17249778094f73d21515f7f863f554743. Details are available in the WeKan GitHub repository, release notes for v8.21, and VulDB entries.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-5823
Vulnerability details
A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the…
more
attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control (CWE-284/266) in admin repair handler allows low-priv authenticated user to perform unauthorized actions, directly enabling exploitation for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved access policies on the Administrative Repair Handler so that low-privilege users cannot invoke fixDuplicateLists.js functions.
Limits privileges assigned to accounts, preventing the incorrect privilege assignment (CWE-266) that enables the improper access.
Requires prompt installation of the vendor patch (v8.21 / commit 4ce181d) that removes the access-control flaw from the affected code path.