CVE-2026-2209 is an improper authorization vulnerability identified in the open-source project WeKan, specifically affecting versions 8.0 through 8.18. The vulnerability resides in the setCreateTranslation function within the client/components/settings/translationBody.js file, part of the Custom Translation Handler component. This flaw allows an attacker to remotely manipulate translation creation or modification processes without proper authorization checks. The vulnerability does not require user interaction and can be exploited by an attacker with limited privileges (PR:L), indicating that an attacker must have some level of authenticated access but not administrative rights. The CVSS 4.0 base score is 5.3, reflecting a medium severity due to the ease of exploitation (low attack complexity), network attack vector, and the impact on confidentiality, integrity, and availability being limited but present. The vulnerability does not involve scope changes or security controls bypass beyond authorization. The patch, identified by commit f244a43771f6ebf40218b83b9f46dba6b940d7de, fixes the authorization logic to ensure only authorized users can invoke setCreateTranslation functionality. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the importance of strict authorization checks in multi-tenant or collaborative software environments like WeKan, which is used for kanban-style project management and task tracking.

The vulnerability allows an attacker with limited privileges to perform unauthorized actions related to translation creation or modification within WeKan. This can lead to unauthorized changes in the user interface language or content, potentially causing confusion, misinformation, or manipulation of displayed information. While the impact on confidentiality, integrity, and availability is limited, unauthorized modifications could undermine trust in the system and disrupt collaboration workflows. In environments where WeKan is used for critical project management or sensitive information tracking, this could lead to operational disruptions or indirect information disclosure. The remote exploitability and lack of required user interaction increase the risk of automated or targeted attacks. Organizations relying on WeKan for internal or external collaboration should consider this vulnerability a moderate risk until patched.

The primary mitigation is to upgrade WeKan installations to version 8.19 or later, where the authorization flaw in setCreateTranslation has been corrected. Until upgrading is possible, organizations should restrict access to WeKan to trusted users only and enforce the principle of least privilege to minimize the number of users with permissions that could exploit this vulnerability. Monitoring and logging of translation-related activities can help detect suspicious behavior. Additionally, network-level controls such as IP whitelisting or VPN access can reduce exposure. Administrators should review user roles and permissions to ensure no unnecessary privileges are granted. Regularly auditing and updating software dependencies and components is essential to prevent similar authorization issues. Finally, educating users about the importance of reporting unexpected UI changes or translation anomalies can aid early detection.