{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30846", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:27:35.341Z", "datePublished": "2026-03-06T19:35:59.942Z", "dateUpdated": "2026-03-09T20:34:19.977Z"}, "containers": {"cna": {"title": "Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:N", "version": "4.0"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/"}, {"name": "https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6", "tags": ["x_refsource_MISC"], "url": "https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6"}, {"name": "https://github.com/wekan/wekan/releases/tag/v8.34", "tags": ["x_refsource_MISC"], "url": "https://github.com/wekan/wekan/releases/tag/v8.34"}], "affected": [{"vendor": "Wekan", "product": "Wekan", "versions": [{"version": ">= 8.31.0, < 8.34", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T19:35:59.942Z"}, "descriptions": [{"lang": "en", "value": "Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations\u2014including sensitive url and token fields\u2014without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34."}], "source": {"advisory": "GHSA-6cjm-8wwg-959q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30846", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:25:34.093667Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:34:19.977Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30846", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-09T20:25:34.093667Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:26:58.301Z"}}], "cna": {"title": "Wekan Exposes All Global Webhook Integrations through globalwebhooks Publication", "source": {"advisory": "GHSA-6cjm-8wwg-959q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Wekan", "product": "Wekan", "versions": [{"status": "affected", "version": ">= 8.31.0, < 8.34"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/", "name": "https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6", "name": "https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wekan/wekan/releases/tag/v8.34", "name": "https://github.com/wekan/wekan/releases/tag/v8.34", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations\u2014including sensitive url and token fields\u2014without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T19:35:59.942Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30846", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:34:19.977Z", "dateReserved": "2026-03-05T21:27:35.341Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T19:35:59.942Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*", "matchCriteriaId": "82F22D3F-FA6B-485B-94AE-266CD62CC379", "versionEndExcluding": "8.33", "versionStartIncluding": "8.31", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the globalwebhooks publication exposes all global webhook integrations\u2014including sensitive url and token fields\u2014without performing any authentication check on the server side. Although the subscription is normally invoked from the admin settings page, the server-side publication has no access control, meaning any DDP client, including unauthenticated ones, can subscribe and receive the data. This allows an unauthenticated attacker to retrieve global webhook URLs and authentication tokens, potentially enabling unauthorized use of those webhooks and access to connected external services. This issue has been fixed in version 8.34."}, {"lang": "es", "value": "Wekan es una herramienta kanban de c\u00f3digo abierto construida con Meteor. En las versiones 8.31.0 a 8.33, la publicaci\u00f3n globalwebhooks expone todas las integraciones de webhook globales \u2014incluyendo campos sensibles de URL y token\u2014 sin realizar ninguna comprobaci\u00f3n de autenticaci\u00f3n en el lado del servidor. Aunque la suscripci\u00f3n se invoca normalmente desde la p\u00e1gina de configuraci\u00f3n de administrador, la publicaci\u00f3n del lado del servidor no tiene control de acceso, lo que significa que cualquier cliente DDP, incluidos los no autenticados, puede suscribirse y recibir los datos. Esto permite a un atacante no autenticado recuperar URLs de webhook globales y tokens de autenticaci\u00f3n, lo que podr\u00eda permitir el uso no autorizado de esos webhooks y el acceso a servicios externos conectados. Este problema ha sido solucionado en la versi\u00f3n 8.34."}], "id": "CVE-2026-30846", "lastModified": "2026-03-11T14:24:30.953", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-06T20:16:17.357", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/wekan/wekan/commit/1ee9b2e917104f54c035f6426169a28fedecbdb6"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/wekan/wekan/releases/tag/v8.34"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2026-037_Wekan/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-306"}], "source": "[email protected]", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-306"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[8.31.0,8.34)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Wekan", "source": "cna", "vendor": "Wekan"}, "product": "wekan", "vendor": "wekan"}], "created": "2026-03-09T10:07:06.088394+00:00", "updated": "2026-03-09T10:07:06.088474+00:00", "vendors": ["wekan", "wekan$PRODUCT$wekan"]}