CVE-2026-1895 identifies an improper access control vulnerability in the open-source project management tool WeKan, specifically affecting versions 8.0 through 8.20. The flaw resides in the applyWipLimit function within the models/lists.js file, part of the Attachment Storage Handler component. This function is responsible for enforcing work-in-progress limits on lists, but due to insufficient access control checks, an attacker with limited privileges can remotely manipulate these controls. This manipulation could allow unauthorized modification of list limits or attachment-related data, potentially leading to unauthorized access or data integrity issues. The vulnerability does not require user interaction or elevated privileges beyond limited access, making it easier to exploit remotely over the network. The issue was addressed in version 8.21 by patch 8c0b4f79d8582932528ec2fdf2a4487c86770fb9, which strengthens access control checks in the affected function. No known exploits are currently reported in the wild, but the vulnerability’s presence in a widely used collaboration tool poses a risk if left unpatched. The CVSS 4.0 base score of 5.3 reflects a medium severity, considering network attack vector, low attack complexity, no required authentication, and limited impact on confidentiality, integrity, and availability. Organizations relying on WeKan for project management and collaboration should assess their exposure and apply the patch promptly to prevent potential exploitation.

For European organizations, the vulnerability could lead to unauthorized modification of project management data, potentially disrupting workflows, exposing sensitive project information, or corrupting data integrity. Since WeKan is often used in collaborative environments, improper access controls could allow attackers to bypass intended restrictions, impacting confidentiality and integrity of project attachments and list limits. This could result in operational disruptions, loss of trust in project data, and potential compliance issues if sensitive data is exposed. The remote exploitability without user interaction increases the risk of automated attacks. While the impact on availability is limited, the integrity and confidentiality risks are significant enough to warrant prompt remediation. Organizations in sectors with strict data protection requirements, such as finance, healthcare, and government, may face heightened risks and regulatory scrutiny if this vulnerability is exploited.

The primary mitigation is to upgrade WeKan installations to version 8.21 or later, which contains the patch fixing the improper access control issue. Organizations should verify the version of WeKan in use and prioritize patch deployment. Beyond patching, administrators should review and tighten access control policies related to list and attachment management to ensure least privilege principles are enforced. Implement network segmentation and firewall rules to restrict access to WeKan instances to trusted users and networks. Enable detailed logging and monitoring of attachment handling and list modifications to detect anomalous activities indicative of exploitation attempts. Conduct regular security audits and penetration testing focusing on access control mechanisms within WeKan. Additionally, educate users about the importance of reporting unexpected behavior in project management tools. For organizations using containerized or cloud deployments of WeKan, ensure that the underlying infrastructure is also secured and updated.