CVE-2026-1963 is an access control vulnerability found in WeKan, an open-source kanban board application widely used for project management and collaboration. The flaw resides in the Attachment Storage component, specifically within the models/attachments.js file, affecting versions 8.0 through 8.20. The vulnerability allows an attacker with limited privileges (PR:L) to remotely manipulate attachments without requiring user interaction (UI:N) or elevated privileges, due to improper enforcement of access controls. This can lead to unauthorized access, modification, or deletion of attachments, potentially exposing sensitive information or disrupting workflows. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level, with network attack vector (AV:N), low attack complexity (AC:L), and no authentication required (AT:N). The scope is limited to the vulnerable component, and the impact affects confidentiality, integrity, and availability to a limited degree. The issue is addressed in WeKan version 8.21, which includes a patch (commit c413a7e860bc4d93fe2adcf82516228570bf382d) that corrects the access control checks. No public exploits or active exploitation have been reported, but the vulnerability's nature makes it a moderate risk for organizations relying on WeKan for managing sensitive attachments.

For European organizations, the improper access control vulnerability in WeKan could lead to unauthorized disclosure or alteration of sensitive project-related attachments, potentially resulting in data breaches, intellectual property loss, or disruption of collaborative workflows. Organizations in sectors such as technology, finance, and government using WeKan for internal project management may face confidentiality and integrity risks. The ability to exploit the vulnerability remotely without user interaction increases the threat surface, especially for organizations exposing WeKan instances to the internet or large internal networks. While the impact is medium severity, the risk escalates if attackers combine this vulnerability with other weaknesses to gain broader access. Disruption of project management processes could also affect operational efficiency and compliance with data protection regulations such as GDPR if personal or sensitive data is involved.

European organizations should immediately upgrade all WeKan instances to version 8.21 or later to apply the official patch that fixes the improper access control issue. In addition to patching, organizations should audit current access permissions on attachments within WeKan to ensure no unauthorized access has occurred. Restrict network exposure of WeKan instances by implementing firewall rules and VPN access to limit remote attack vectors. Enable detailed logging and monitoring of attachment access and modifications to detect suspicious activity early. Conduct regular security assessments and penetration testing focusing on access control mechanisms in collaboration tools. Educate administrators and users about the importance of timely updates and secure configuration of project management software. Consider isolating WeKan deployments in segmented network zones to minimize potential lateral movement in case of compromise.