Cyber Posture

CVE-2026-30846

High

Published: 06 March 2026

Published
06 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0016 36.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-30846 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wekan Project Wekan. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AU-14 Session Audit
addresses: CWE-200 CWE-306

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

PL-8 Security and Privacy Architectures
addresses: CWE-200 CWE-306

Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.

PM-5 System Inventory
addresses: CWE-200 CWE-306

Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.

PM-8 Critical Infrastructure Plan
addresses: CWE-306 CWE-200

Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.

RA-3 Risk Assessment
addresses: CWE-306 CWE-200

Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.

SC-14 Public Access Protections
addresses: CWE-306 CWE-200

Requires authentication gates on critical functions that must remain unavailable to anonymous public users.

SC-15 Collaborative Computing Devices and Applications
addresses: CWE-306 CWE-200

Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.

SC-26 Decoys
addresses: CWE-200 CWE-306

Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing Wekan app (missing auth on globalwebhooks DDP publication) directly enables T1190 to remotely retrieve webhook URLs/tokens; obtained secrets map to T1552 for unauthorized use against integrated services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is…

more

normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.

Deeper analysisAI

CVE-2026-30846 affects Wekan, an open-source kanban tool built with Meteor, specifically in versions 8.31.0 through 8.33. The vulnerability resides in the globalwebhooks publication, which exposes all global webhook integrations—including sensitive URL and token fields—without any server-side authentication checks. Normally invoked from the admin settings page, this publication lacks access controls, allowing any DDP client to subscribe and retrieve the data. The issue is rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-200 (Exposure of Sensitive Information) and CWE-306 (Missing Authentication for Critical Function).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges. By connecting as a DDP client to a vulnerable Wekan instance, they can subscribe to the globalwebhooks publication and obtain webhook URLs and authentication tokens. This enables unauthorized invocation of those webhooks, potentially granting access to connected external services and leading to further compromise depending on the integrations.

The vulnerability has been addressed in Wekan version 8.34, as detailed in the project's GitHub commit (1ee9b2e917104f54c035f6426169a28fedecbdb6), release notes (v8.34), and GitHub Security Lab advisory (GHSL-2026-037_Wekan). Security practitioners should upgrade to 8.34 or later and review exposed webhook configurations for potential misuse.

Details

CWE(s)
CWE-200CWE-306

Affected Products

wekan project
wekan
8.31 — 8.33

CVEs Like This One

CVE-2026-30845Same product: Wekan Project Wekan
CVE-2026-1962Same product: Wekan Project Wekan
CVE-2026-25563Same product: Wekan Project Wekan
CVE-2026-1963Same product: Wekan Project Wekan
CVE-2026-25564Same product: Wekan Project Wekan
CVE-2026-25859Same product: Wekan Project Wekan
CVE-2026-25560Same product: Wekan Project Wekan
CVE-2026-25561Same product: Wekan Project Wekan
CVE-2026-30844Same product: Wekan Project Wekan
CVE-2026-2206Same product: Wekan Project Wekan

References