CVE-2026-30847 in Wekan
Summary
by MITRE • 03/06/2026
Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and any stored OAuth tokens. Unlike Meteor's default auto-publication which strips the services field for security, custom publications return whatever fields the cursor contains, meaning all subscribers receive the complete user documents. Any authenticated user who triggers this publication can harvest credentials and active session tokens for other users, enabling password cracking, session hijacking, and full account takeover. This issue has been fixed in version 8.34.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2026
CVE-2026-30847 represents a critical information disclosure vulnerability in the Wekan open source kanban tool that affects versions 8.31.0 through 8.33. This vulnerability stems from improper field filtering in the notificationUsers publication mechanism, which is a core component of Wekan's real-time data synchronization system. The flaw exists within the ReactiveCache.getUsers() method that returns complete user documents without any field sanitization, exposing sensitive authentication data to unauthorized users who can access the publication. The issue is particularly severe because it bypasses Meteor's default security mechanisms that automatically strip sensitive fields like the services field from user documents during auto-publication. According to CWE-200, this vulnerability falls under information exposure, specifically the disclosure of sensitive information through improper data filtering. The publication mechanism in Wekan's custom implementation fails to apply the same security controls that Meteor's built-in auto-publication enforces, creating a pathway for credential harvesting that directly violates security best practices established in the OWASP Top Ten.
The technical exploitation of this vulnerability occurs when authenticated users trigger the notificationUsers publication, which then returns complete user documents containing bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and OAuth tokens. This comprehensive data exposure enables attackers to perform password cracking attacks using the harvested bcrypt hashes, conduct session hijacking by utilizing active login tokens, and execute full account takeovers across the Wekan instance. The vulnerability demonstrates a fundamental flaw in the application's data access control model where the publication system does not properly implement field-level security restrictions, creating a direct attack surface that allows unauthorized access to sensitive user information. The exposure of email verification tokens and OAuth credentials particularly amplifies the risk as these tokens can be used to reset passwords or gain unauthorized access through federated authentication systems. This vulnerability directly maps to ATT&CK technique T1566.001 for credential access through social engineering and T1566.002 for credential access through phishing, as the harvested credentials can be used to establish persistent access to user accounts.
The operational impact of CVE-2026-30847 extends beyond simple information disclosure to encompass full account compromise and potential lateral movement within the Wekan environment. An attacker who successfully exploits this vulnerability can gain access to multiple user accounts simultaneously, potentially compromising administrators and regular users alike, leading to complete system takeover. The exposure of active session tokens enables real-time session hijacking without requiring additional authentication factors, while the presence of bcrypt hashes allows for offline password cracking attacks that can be accelerated through modern computing resources. Organizations using Wekan versions 8.31.0 through 8.33 face significant risk of unauthorized access to project data, user communications, and system resources. The vulnerability affects the core authentication and authorization mechanisms of the application, undermining the trust model that Wekan relies upon for secure collaboration environments. Security teams must consider the potential for privilege escalation attacks where compromised low-privilege accounts can be used to access higher-privilege user data, and the exposure of OAuth tokens could enable attackers to access other connected services through federated authentication relationships.
Mitigation strategies for CVE-2026-30847 require immediate patching to version 8.34 where the field filtering has been properly implemented in the notificationUsers publication. Organizations should also implement network-level restrictions to limit access to Wekan's publication endpoints and consider implementing additional authentication controls such as multi-factor authentication to reduce the impact of credential compromise. The fix should include explicit field filtering in the ReactiveCache.getUsers() method to ensure that sensitive fields like password hashes, session tokens, and verification tokens are never published to client applications. Security monitoring should be enhanced to detect unusual publication access patterns and unauthorized data harvesting attempts, while regular security audits should verify that custom publications do not inadvertently expose sensitive data. Organizations should also review their custom publication implementations to ensure they follow secure coding practices and implement proper field-level access controls as recommended in the OWASP Secure Coding Practices. The vulnerability serves as a reminder of the critical importance of proper data sanitization in real-time data synchronization systems and the need for comprehensive security testing of custom publication mechanisms in Meteor-based applications.