CVE-2026-1895 identifies an improper access control vulnerability in the open-source project management tool WeKan, specifically in the applyWipLimit function within the models/lists.js file of the Attachment Storage Handler component. This vulnerability allows remote attackers to manipulate access controls improperly, potentially bypassing restrictions intended to limit work-in-progress (WIP) limits or attachment handling policies. The flaw affects all WeKan versions from 8.0 through 8.20. The vulnerability can be exploited remotely without requiring authentication or user interaction, which increases the attack surface. The CVSS 4.0 base score is 5.3 (medium), reflecting the moderate impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required. The patch for this vulnerability was released in version 8.21, identified by commit 8c0b4f79d8582932528ec2fdf2a4487c86770fb9, which corrects the access control logic to prevent unauthorized manipulations. No known exploits have been reported in the wild, but the broad version range affected and the nature of the flaw warrant prompt remediation. The vulnerability could allow attackers to access or modify project data or attachments beyond their authorized scope, potentially leading to data leakage or integrity issues within collaborative environments.

The vulnerability poses a moderate risk to organizations using WeKan for project management and collaboration. Exploitation could lead to unauthorized access or modification of attachments and project data, undermining confidentiality and integrity. This could result in exposure of sensitive business information, disruption of project workflows, or unauthorized data manipulation. Since the flaw can be exploited remotely without authentication or user interaction, attackers can potentially leverage it to escalate privileges or move laterally within an organization's infrastructure. Although no active exploitation is currently known, the widespread use of WeKan in various industries, including technology, education, and government, increases the potential impact. Organizations relying on WeKan for critical project tracking or sensitive data management should consider this vulnerability a significant risk until patched.

To mitigate CVE-2026-1895, organizations should immediately upgrade WeKan installations to version 8.21 or later, which contains the official patch correcting the improper access control in the applyWipLimit function. In addition to upgrading, administrators should audit user permissions and access controls within WeKan to ensure no excessive privileges are granted. Implement network segmentation and firewall rules to restrict access to WeKan instances only to trusted users and networks. Monitoring and logging access to WeKan resources can help detect any anomalous activities indicative of exploitation attempts. If upgrading is temporarily not feasible, consider disabling or restricting the affected Attachment Storage Handler functionality, if possible, to reduce exposure. Regularly review WeKan release notes and security advisories for any further updates or related vulnerabilities. Finally, educate users on secure usage practices and maintain backups of critical project data to enable recovery in case of compromise.