CVE-2026-30846
Published: 06 March 2026
Summary
CVE-2026-30846 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Wekan Project Wekan. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-14 (Permitted Actions Without Identification or Authentication).
Deeper analysis
CVE-2026-30846 affects Wekan, an open-source kanban tool built with Meteor, specifically in versions 8.31.0 through 8.33. The vulnerability resides in the globalwebhooks publication, which exposes all global webhook integrations—including sensitive URL and token fields—without any server-side authentication checks. Normally invoked from the admin settings page, this publication lacks access controls, allowing any DDP client to subscribe and retrieve the data. The issue is rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-200 (Exposure of Sensitive Information) and CWE-306 (Missing Authentication for Critical Function).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges. By connecting as a DDP client to a vulnerable Wekan instance, they can subscribe to the globalwebhooks publication and obtain webhook URLs and authentication tokens. This enables unauthorized invocation of those webhooks, potentially granting access to connected external services and leading to further compromise depending on the integrations.
The vulnerability has been addressed in Wekan version 8.34, as detailed in the project's GitHub commit (1ee9b2e917104f54c035f6426169a28fedecbdb6), release notes (v8.34), and GitHub Security Lab advisory (GHSL-2026-037_Wekan). Security practitioners should upgrade to 8.34 or later and review exposed webhook configurations for potential misuse.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10065
Vulnerability details
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations—including sensitive url and token fields—without performing any authentication check on the server side. Although the subscription is…
more
normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Wekan app (missing auth on globalwebhooks DDP publication) directly enables T1190 to remotely retrieve webhook URLs/tokens; obtained secrets map to T1552 for unauthorized use against integrated services.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires enforcement of approved authorizations for access to sensitive resources like the globalwebhooks publication, directly addressing the missing server-side authentication checks.
Principle of least privilege restricts access to webhook URLs and tokens to only necessary administrative roles, mitigating unauthorized exposure.
Limits and documents user actions allowable without identification or authentication, preventing sensitive publications from being accessible to unauthenticated DDP clients.