CVE-2026-1896 is a vulnerability identified in the open-source project WeKan, specifically affecting versions 8.0 through 8.20. The issue resides in the ComprehensiveBoardMigration function within the server/migrations/comprehensiveBoardMigration.js file, part of the Migration Operation Handler component. The vulnerability stems from improper access control when processing the boardId argument, which can be manipulated remotely by an attacker. This manipulation allows unauthorized access or modification of board data during migration operations. The attack vector is network-based (AV:N), requires low attack complexity (AC:L), no authentication (AT:N), and no user interaction (UI:N). However, the attacker must have limited privileges (PR:L) on the system. The vulnerability impacts confidentiality, integrity, and availability to a low degree (VC:L, VI:L, VA:L). The scope remains unchanged (S:U), and no security requirements are bypassed (SI:N, SA:N). The vulnerability was assigned a CVSS v4.0 base score of 5.3, categorized as medium severity. The issue was patched in WeKan version 8.21, with the patch identified by commit cc35dafef57ef6e44a514a523f9a8d891e74ad8f. No known exploits have been reported in the wild to date. The vulnerability highlights the importance of proper access control validation in migration operations within collaborative software platforms.

The vulnerability allows remote attackers with limited privileges to manipulate the boardId parameter during migration operations, potentially gaining unauthorized access to or modification of board data. This can lead to partial disclosure of sensitive project information, unauthorized changes to task boards, or disruption of migration processes. While the impact on confidentiality, integrity, and availability is assessed as low, organizations relying on WeKan for project management and collaboration could face operational disruptions and data exposure risks. The medium CVSS score reflects the balance between ease of exploitation and limited impact scope. If exploited in sensitive environments, such as government or critical infrastructure project management, the consequences could be more severe. The lack of required user interaction and the remote attack vector increase the risk of automated exploitation attempts if the vulnerability becomes widely known. However, no active exploitation has been reported, suggesting limited current threat activity. Organizations worldwide using affected WeKan versions should consider the risk significant enough to warrant immediate patching to prevent potential future attacks.

1. Upgrade all WeKan instances to version 8.21 or later, where the vulnerability is patched. 2. Implement strict access control policies limiting user privileges to the minimum necessary, reducing the risk posed by limited privilege attackers. 3. Monitor network traffic and application logs for unusual migration operation requests or anomalies involving boardId parameters. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious manipulation of migration-related API calls. 5. Conduct regular security audits and code reviews focusing on access control enforcement in critical components like migration handlers. 6. Isolate WeKan deployments within secure network segments and restrict administrative interfaces to trusted IP addresses. 7. Educate administrators and users about the importance of timely updates and secure configuration management. 8. Consider implementing multi-factor authentication (MFA) for administrative access to further reduce risk from compromised credentials. These steps go beyond generic advice by focusing on the specific migration operation handler and the nature of the vulnerability.