CVE-2026-1892 is an improper authorization vulnerability identified in the open-source kanban board software WeKan, specifically affecting versions 8.0 through 8.20. The flaw resides in the REST API component, particularly in the setBoardOrgs function within the models/boards.js file. This function improperly validates authorization when processing certain arguments—namely item.cardId, item.checklistId, and card.boardId—allowing an attacker to manipulate these parameters to perform unauthorized actions on boards or related entities. The vulnerability does not require user interaction but does require the attacker to have low privileges (PR:L), and the attack complexity is high (AC:H), indicating that exploitation demands significant effort or conditions. The vulnerability impacts confidentiality, integrity, and availability at a low level due to limited scope and difficulty of exploitation. No known exploits are currently reported in the wild. The issue is resolved by upgrading to WeKan version 8.21, which includes a patch identified by commit cabfeed9a68e21c469bf206d8655941444b9912c. This patch corrects the authorization checks in the affected REST API function to prevent unauthorized access or manipulation of board-related data.

For European organizations using WeKan for project management or collaboration, this vulnerability could allow unauthorized users with limited privileges to access or modify board data beyond their authorization scope. Although the severity is low and exploitation is difficult, successful attacks could lead to minor data exposure or unauthorized changes to project boards, potentially disrupting workflows or leaking sensitive project information. The impact on confidentiality and integrity is limited but non-negligible, especially for organizations handling sensitive or regulated data. Availability impact is minimal but possible if unauthorized modifications affect board functionality. Since WeKan is used by various organizations, including SMEs and public sector entities in Europe, the vulnerability could pose a risk where strict access controls are critical. However, the low CVSS score and lack of known exploits reduce the immediate threat level.

European organizations should promptly upgrade all WeKan instances to version 8.21 or later to remediate this vulnerability. Prior to upgrading, administrators should audit current user privileges and API usage to identify any anomalous access patterns. Implement strict network segmentation and firewall rules to limit REST API access to trusted users and systems only. Employ monitoring and logging of API calls related to board and card management to detect potential exploitation attempts. Additionally, enforce the principle of least privilege for all users interacting with WeKan, ensuring that only necessary permissions are granted. Regularly review and update access control policies within WeKan to prevent privilege escalation. Finally, maintain an up-to-date inventory of WeKan deployments across the organization to ensure all instances are patched timely.