WeKan up to 8.20 Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control

Summaryinfo

A vulnerability, which was classified as critical, was found in WeKan up to 8.20. This issue affects some unknown processing of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Executing a manipulation can lead to access control. This vulnerability is registered as CVE-2026-2206. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

Detailsinfo

A vulnerability has been found in WeKan up to 8.20 and classified as critical. This vulnerability affects some unknown functionality of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability.

The advisory is shared for download at github.com. This vulnerability was named CVE-2026-2206. The exploitation appears to be easy. The attack can be initiated remotely. There are known technical details, but no exploit is available. The MITRE ATT&CK project declares the attack technique as T1068.

Upgrading to version 8.21 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 4ce181d17249778094f73d21515f7f863f554743 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-5823). VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Name

Version

License

Website

CPE 2.3info

CPE 2.2info

CVSSv4info

VulDB Vector: 🔒
VulDB Reliability: 🔍

CNA CVSS-B Score: 🔒
CNA CVSS-BT Score: 🔒
CNA Vector: 🔒

CVSSv3info

VulDB Meta Base Score: 7.1
VulDB Meta Temp Score: 7.0

VulDB Base Score: 6.3
VulDB Temp Score: 6.0
VulDB Vector: 🔒
VulDB Reliability: 🔍

NVD Base Score: 8.8
NVD Vector: 🔒

CNA Base Score: 6.3
CNA Vector: 🔒

CVSSv2info

AVACAuCIA
💳💳💳💳💳💳
💳💳💳💳💳💳
💳💳💳💳💳💳
VectorComplexityAuthenticationConfidentialityIntegrityAvailability
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock
UnlockUnlockUnlockUnlockUnlockUnlock

VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍

Exploitinginfo

Class: Access control
CWE: CWE-284 / CWE-266
CAPEC: 🔒
ATT&CK: 🔒

Physical: No
Local: No
Remote: Yes

Availability: 🔒
Status: Not defined

EPSS Score: 🔒
EPSS Percentile: 🔒

Price Prediction: 🔍
Current Price Estimation: 🔒

0-DayUnlockUnlockUnlockUnlock
TodayUnlockUnlockUnlockUnlock

Threat Intelligenceinfo

Interest: 🔍
Active Actors: 🔍
Active APT Groups: 🔍

Countermeasuresinfo

Recommended: Upgrade
Status: 🔍

0-Day Time: 🔒

Upgrade: WeKan 8.21
Patch: 4ce181d17249778094f73d21515f7f863f554743

Timelineinfo

02/08/2026 Advisory disclosed
02/08/2026 +0 days VulDB entry created
02/12/2026 +4 days VulDB entry last update

Sourcesinfo

Product: github.com

Advisory: 4ce181d17249778094f73d21515f7f863f554743
Status: Confirmed

CVE: CVE-2026-2206 (🔒)
GCVE (CVE): GCVE-0-2026-2206
GCVE (VulDB): GCVE-100-344920
EUVD: 🔒

Entryinfo

Created: 02/08/2026 02:11
Updated: 02/12/2026 08:47
Changes: 02/08/2026 02:11 (58), 02/08/2026 05:15 (30), 02/09/2026 12:27 (1), 02/12/2026 08:47 (14)
Complete: 🔍
Submitter: MegaManSec
Cache ID: 216::103

Submitinfo

Accepted

  • Submit #752162: Wekan <8.21 Improper access control on administrative repair method (by MegaManSec)

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Discussion

No comments yet. Languages: en.

Please log in to comment.

PreviousOverviewNext

Do you know our Splunk app?

Download it now for free!