CVE-2026-1964 identifies an improper access control vulnerability in the WeKan open-source kanban board application, specifically in versions 8.0 through 8.20. The vulnerability resides in the REST API endpoint implemented in the file models/boards.js, where certain functions fail to enforce proper access restrictions. This flaw allows remote attackers with low privileges to access or manipulate board-related resources beyond their authorization scope. The vulnerability does not require user interaction or elevated privileges beyond low-level access, and it can be exploited remotely over the network. The issue impacts the integrity and confidentiality of board data by potentially allowing unauthorized viewing or modification of sensitive project information. The vulnerability was assigned a CVSS 4.0 base score of 5.3, indicating medium severity, with attack vector as network, low attack complexity, no privileges required, and no user interaction needed. The scope remains unchanged, and the impact on confidentiality and integrity is low, with no availability impact. The vulnerability was publicly disclosed on February 5, 2026, and fixed in WeKan version 8.21. No known exploits have been reported in the wild to date. The patch involves correcting access control checks in the affected REST endpoint to ensure proper authorization enforcement. Organizations using WeKan for project management should upgrade to version 8.21 or later to remediate this vulnerability and prevent unauthorized access to board data.

The vulnerability allows unauthorized remote access to board data within WeKan, potentially exposing sensitive project management information or allowing unauthorized modifications. This can lead to data integrity issues, unauthorized disclosure of confidential information, and disruption of collaborative workflows. While the impact on availability is negligible, the breach of confidentiality and integrity can undermine trust in the platform and cause operational disruptions. Organizations relying on WeKan for critical project tracking or sensitive data management are at risk of information leakage or unauthorized changes that could affect decision-making and project outcomes. The medium severity rating reflects the moderate risk posed by this vulnerability, especially in environments where WeKan is exposed to untrusted networks or used to manage sensitive information. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers could develop exploits given the public disclosure.

1. Upgrade WeKan installations to version 8.21 or later immediately to apply the official patch that corrects the improper access control checks. 2. Review and restrict network access to WeKan instances, limiting exposure to trusted internal networks or VPNs to reduce remote attack surface. 3. Implement strict role-based access controls (RBAC) within WeKan to minimize privileges granted to users, ensuring least privilege principles are enforced. 4. Monitor access logs and audit trails for unusual or unauthorized access attempts to board resources. 5. If upgrading immediately is not feasible, consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious REST API requests targeting board endpoints. 6. Educate administrators and users about the importance of timely patching and secure configuration of collaboration tools. 7. Regularly review and update security policies governing third-party and open-source software usage to ensure rapid response to disclosed vulnerabilities.