Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Wekan Open Kanban Tool Exposes Webhook Credentials
CVE-2026-30845
Summary
In versions 8.31.0 through 8.33 of Wekan, sensitive data like webhook URLs and authentication tokens are exposed to all users with access to a board, potentially allowing attackers to take unauthorized actions in connected services. This issue has been fixed in version 8.34. Wekan users should update to the latest version to prevent data exposure.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| wekan_project | wekan | > 8.31 , <= 8.33 | – |
Original title
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filteri...
Original description
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the board composite publication in Wekan publishes all integration data for a board without any field filtering, exposing sensitive fields including webhook URLs and authentication tokens to any subscriber. Since board publications are accessible to all board members regardless of their role (including read-only and comment-only users), and even to unauthenticated DDP clients for public boards, any user who can access a board can retrieve its webhook credentials. This token leak allows attackers to make unauthenticated requests to the exposed webhooks, potentially triggering unauthorized actions in connected external services. This issue has been fixed in version 8.34.
nvd CVSS4.0
6.9
Vulnerability type
CWE-200
Information Exposure
CWE-862
Missing Authorization
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026