CVE-2026-1897 in WeKan (PositionHistoryBleed)
Summary
by MITRE • 02/05/2026
A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 02/05/2026
CVE-2026-1897 represents a critical authorization bypass vulnerability within the WeKan collaborative board platform, specifically affecting versions through 8.20. This vulnerability resides in the file server/methods/positionHistory.js component which handles position-history tracking functionality. The flaw allows unauthorized remote attackers to manipulate the system's authorization controls, potentially enabling them to access restricted features or data that should only be available to authenticated users with proper privileges. The vulnerability's impact extends beyond simple data exposure as it fundamentally undermines the application's access control mechanisms, creating a pathway for attackers to perform actions they should not be authorized to execute.
The technical nature of this vulnerability aligns with CWE-285, which addresses improper authorization issues in software systems. The flaw manifests in the position-history tracking component where the application fails to properly validate user permissions before executing certain operations. This weakness enables attackers to exploit the system's authorization checks through remote access, potentially allowing them to manipulate board positions, track user movements, or access sensitive historical data without proper authentication. The vulnerability's remote exploitability means that attackers do not require physical access to the system or local network privileges to carry out the attack, significantly expanding the threat surface.
The operational impact of this vulnerability can be severe for organizations relying on WeKan for collaborative workspaces, project management, or team coordination. An attacker who successfully exploits this vulnerability could potentially access confidential project information, manipulate board layouts, track user activities, or even gain elevated privileges within the system. The implications extend to data integrity and confidentiality, as unauthorized access to position-history tracking could reveal sensitive information about user behavior, project timelines, or strategic planning activities. Organizations using WeKan for sensitive business operations face increased risk of data breaches, unauthorized modifications, and potential compliance violations.
The recommended mitigation strategy involves upgrading to WeKan version 8.21, which includes a specific patch identified by the commit hash 55576ec17722db094835470b386162c9a662fb60. This upgrade addresses the authorization bypass by implementing proper access control validation within the positionHistory.js component. Security teams should prioritize this patch deployment and conduct thorough testing to ensure that the upgrade does not introduce compatibility issues with existing workflows or integrations. Additionally, organizations should consider implementing network-level monitoring to detect potential exploitation attempts and establish baseline security practices for their WeKan deployments. The vulnerability's classification under ATT&CK technique T1078 for valid accounts and T1566 for phishing highlights the importance of maintaining proper access controls and user authentication mechanisms. Organizations should also review their current access control policies and ensure that all users have appropriate privilege levels based on their roles within the organization, as this vulnerability could potentially be exploited by attackers who have already gained initial access through other means.