CVE-2026-1892 identifies an improper authorization vulnerability in the open-source project management tool WeKan, specifically in versions 8.0 through 8.20. The vulnerability exists in the REST API component, within the setBoardOrgs function located in the models/boards.js file. It stems from insufficient authorization checks when processing certain arguments—namely item.cardId, item.checklistId, and card.boardId. An attacker can manipulate these parameters remotely to perform unauthorized actions or access resources they should not have permission to. The attack complexity is high, indicating that successful exploitation requires detailed knowledge of the API and the application’s internal logic. The vulnerability does not require user interaction and can be attempted with low privileges, but the exploitability is considered difficult. The CVSS 4.0 base score is 2.3, reflecting a low severity due to limited impact and exploitation challenges. The vulnerability affects confidentiality, integrity, and availability at a low level and does not involve scope changes or privilege escalation beyond low privileges. No known exploits have been observed in the wild. The issue is addressed in WeKan version 8.21 by applying patch cabfeed9a68e21c469bf206d8655941444b9912c, which strengthens authorization checks in the affected function. Organizations running vulnerable versions should upgrade promptly to mitigate risk.

The improper authorization vulnerability could allow attackers to access or modify board-related data in WeKan without proper permissions, potentially exposing sensitive project management information or disrupting workflows. While the impact on confidentiality, integrity, and availability is limited due to the complexity and difficulty of exploitation, unauthorized access could lead to data leakage or unauthorized changes within project boards. This could undermine trust in the project management process and cause operational disruptions. Since WeKan is often used by organizations for collaborative task and project management, any unauthorized access could affect internal communications and project tracking. However, the low CVSS score and absence of known exploits suggest the immediate risk is low. Organizations with sensitive or critical project data should still consider the vulnerability significant enough to warrant prompt remediation to avoid potential targeted attacks.

To mitigate CVE-2026-1892, organizations should upgrade all WeKan instances to version 8.21 or later, which includes the official patch (cabfeed9a68e21c469bf206d8655941444b9912c) that corrects the authorization logic in the setBoardOrgs function. Additionally, administrators should audit API access logs for unusual or unauthorized activity related to board or card modifications. Implement network-level restrictions to limit access to the WeKan REST API only to trusted users and systems. Employ strong authentication and role-based access controls within WeKan to minimize the risk of low-privilege accounts being exploited. Regularly review and update permissions assigned to users and API clients to ensure least privilege principles. If upgrading immediately is not feasible, consider temporarily disabling or restricting the affected API endpoints to reduce exposure. Finally, monitor security advisories from the WeKan project and related vulnerability databases for any updates or emerging exploit reports.