CVE-2026-1962 is a vulnerability identified in the open-source project management tool WeKan, affecting all versions from 8.0 through 8.20. The issue resides in an unspecified function within the server-side file server/attachmentMigration.js, part of the Attachment Migration component. The root cause is improper access control, which allows remote attackers to bypass intended restrictions and access or manipulate attachments improperly. The vulnerability can be exploited remotely without user interaction and does not require prior authentication, though it does require low privileges (PR:L). The CVSS 4.0 base score is 5.3, reflecting a medium severity level, with network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and limited impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The flaw does not affect system scope or require special privileges beyond low-level access. The vendor has addressed the issue in WeKan version 8.21, with a patch identified by commit 053bf1dfb76ef230db162c64a6ed50ebedf67eee. No public exploits or widespread attacks have been reported to date. This vulnerability could allow unauthorized access to sensitive attachments, potentially exposing confidential project information or enabling data tampering.

The vulnerability's impact primarily concerns unauthorized access to attachments managed by WeKan, which could lead to exposure of sensitive project data, intellectual property, or personally identifiable information. Integrity could be compromised if attackers modify attachments, potentially disrupting project workflows or injecting malicious content. Availability impact is limited but possible if attackers manipulate attachments to cause application errors or denial of service. Since exploitation requires only low privileges and no user interaction, attackers with minimal access could leverage this flaw to escalate their impact within the system. Organizations relying on WeKan for collaborative project management, especially in sectors handling sensitive or regulated data, face risks of data breaches, compliance violations, and operational disruptions. The medium severity rating indicates a moderate but non-trivial threat that warrants timely remediation.

Organizations should upgrade all affected WeKan instances to version 8.21 or later immediately to remediate the vulnerability. In addition to patching, administrators should review and tighten access control policies around attachments and migration processes to ensure least privilege principles are enforced. Monitoring logs for unusual access patterns to attachment migration endpoints can help detect attempted exploitation. Implement network segmentation and firewall rules to restrict access to WeKan servers, limiting exposure to trusted users and networks. Regularly audit user privileges and remove unnecessary low-level access that could be leveraged by attackers. Employ secure coding and configuration management practices to prevent similar access control issues in custom deployments or integrations. Finally, maintain an incident response plan to quickly address any suspected compromise related to this vulnerability.