CVE-2026-30845
Published: 06 March 2026
Summary
CVE-2026-30845 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wekan Project Wekan. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations to prevent unauthorized board members, including read-only and comment-only users, from accessing sensitive webhook URLs and tokens exposed in unfiltered board publications.
SI-15 filters sensitive information from outputs like board publications, directly mitigating the lack of field filtering that exposes webhook credentials to subscribers.
AC-6 applies least privilege to restrict sensitive integration data access to only privileged board roles, reducing exposure to lower-privilege users and unauthenticated public board clients.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables remote exploitation of a public-facing web app (Wekan) to disclose webhook URLs and auth tokens due to missing authorization/filtering; directly facilitates stealing application access tokens for unauthorized actions on external services.
NVD Description
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication…
more
tokens to any subscriber. Since board publications are accessible to all board members regardless of their role (including read-only and comment-only users), and even to unauthenticated DDP clients for public boards, any user who can access a board can retrieve its webhook credentials. This token leak allows attackers to make unauthenticated requests to the exposed webhooks, potentially triggering unauthorized actions in connected external services. This issue has been fixed in version 8.34.
Deeper analysisAI
CVE-2026-30845 is a vulnerability in Wekan, an open-source kanban tool built with Meteor, affecting versions 8.31.0 through 8.33. The issue resides in the board composite publication, which discloses all integration data for a board without field filtering. This exposes sensitive fields, such as webhook URLs and authentication tokens, to any subscriber. The vulnerability is rated at CVSS 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-862 (Missing Authorization).
Any user who can access a board can exploit this vulnerability, including all board members regardless of role—such as read-only or comment-only users—and even unauthenticated DDP clients for public boards. Attackers can retrieve the exposed webhook credentials and use them to make unauthenticated requests to the webhooks, potentially triggering unauthorized actions in connected external services.
The vulnerability has been fixed in Wekan version 8.34. Mitigation details are available in the fixing commit at https://github.com/wekan/wekan/commit/8c00adc6b865653bd717a946dd646eb54ac78c9c, the release notes at https://github.com/wekan/wekan/releases/tag/v8.34, and the GitHub Security Lab advisory at https://securitylab.github.com/advisories/GHSL-2026-036_Wekan/.
Details
- CWE(s)