CVE-2026-1964 identifies an improper access control vulnerability in WeKan, an open-source kanban board application widely used for project management. The vulnerability resides in the REST endpoint implemented in the models/boards.js file, affecting all versions from 8.0 through 8.20. The flaw allows remote attackers with low-level privileges to bypass intended access restrictions, potentially enabling unauthorized access or modification of board data or related resources. The vulnerability does not require user interaction and can be exploited remotely without elevated privileges, increasing its risk profile. The CVSS 4.0 base score is 5.3 (medium), reflecting the moderate impact on confidentiality and integrity, with no impact on availability. The vulnerability was published on February 5, 2026, and fixed in version 8.21. Although no known exploits are reported in the wild, the vulnerability's nature suggests that attackers could leverage it to escalate privileges or access sensitive project information within affected deployments. The patch involves correcting the access control logic in the REST endpoint to enforce proper authorization checks. Organizations relying on WeKan for internal or external project collaboration should apply the update promptly to prevent exploitation.

For European organizations, this vulnerability poses a risk of unauthorized access or modification of project management data, which could lead to information leakage, disruption of workflows, or unauthorized changes to project boards. While the impact on confidentiality and integrity is limited, the ability for remote exploitation without user interaction or elevated privileges increases the threat surface. Organizations in sectors such as software development, consulting, and any industry relying on WeKan for task tracking and collaboration could face operational disruptions or data integrity issues. Additionally, unauthorized access could expose sensitive project details or intellectual property. The medium severity suggests that while the vulnerability is not critical, it should not be ignored, especially in environments with sensitive or regulated data. Failure to patch could also increase the risk of chained attacks if combined with other vulnerabilities.

The primary mitigation is to upgrade WeKan installations to version 8.21 or later, which contains the fix for this vulnerability. Organizations should audit their current WeKan versions and prioritize patching affected instances. In addition to patching, administrators should review and tighten access control policies within WeKan, ensuring that user roles and permissions are strictly enforced and monitored. Network-level controls such as restricting access to WeKan REST endpoints to trusted internal networks or VPNs can reduce exposure. Implementing robust authentication mechanisms and monitoring logs for unusual access patterns can help detect exploitation attempts. Regular security assessments and penetration testing focused on access control mechanisms in WeKan deployments are recommended. Backup and recovery plans should be verified to ensure data integrity in case of compromise. Finally, educating users about the importance of timely updates and secure usage practices will support overall risk reduction.