Cyber Resilience

CVE-2026-30846

High

Published: 06 March 2026

Published
06 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0034 26.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-30846 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wekan Project Wekan. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-14 (Permitted Actions Without Identification or Authentication).

Deeper analysis

CVE-2026-30846 affects Wekan, an open-source kanban tool built with Meteor, specifically in versions 8.31.0 through 8.33. The vulnerability resides in the globalwebhooks publication, which exposes all global webhook integrations—including sensitive URL and token fields—without any server-side authentication checks. Normally invoked from the admin settings page, this publication lacks access controls, allowing any DDP client to subscribe and retrieve the data. The issue is rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-200 (Exposure of Sensitive Information) and CWE-306 (Missing Authentication for Critical Function).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges. By connecting as a DDP client to a vulnerable Wekan instance, they can subscribe to the globalwebhooks publication and obtain webhook URLs and authentication tokens. This enables unauthorized invocation of those webhooks, potentially granting access to connected external services and leading to further compromise depending on the integrations.

The vulnerability has been addressed in Wekan version 8.34, as detailed in the project's GitHub commit (1ee9b2e917104f54c035f6426169a28fedecbdb6), release notes (v8.34), and GitHub Security Lab advisory (GHSL-2026-037_Wekan). Security practitioners should upgrade to 8.34 or later and review exposed webhook configurations for potential misuse.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is…

more

normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Vulnerability in public-facing Wekan app (missing auth on globalwebhooks DDP publication) directly enables T1190 to remotely retrieve webhook URLs/tokens; obtained secrets map to T1552 for unauthorized use against integrated services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30845Same product: Wekan Project Wekan
CVE-2026-1962Same product: Wekan Project Wekan
CVE-2026-25563Same product: Wekan Project Wekan
CVE-2026-25560Same product: Wekan Project Wekan
CVE-2026-25564Same product: Wekan Project Wekan
CVE-2026-25859Same product: Wekan Project Wekan
CVE-2026-25561Same product: Wekan Project Wekan
CVE-2026-1963Same product: Wekan Project Wekan
CVE-2026-30844Same product: Wekan Project Wekan
CVE-2026-2206Same product: Wekan Project Wekan

Affected Assets

wekan project
wekan
8.31 — 8.33

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires enforcement of approved authorizations for access to sensitive resources like the globalwebhooks publication, directly addressing the missing server-side authentication checks.

prevent

Principle of least privilege restricts access to webhook URLs and tokens to only necessary administrative roles, mitigating unauthorized exposure.

prevent

Limits and documents user actions allowable without identification or authentication, preventing sensitive publications from being accessible to unauthenticated DDP clients.

References