CVE-2026-2209 is an authorization vulnerability found in the open-source Kanban board application WeKan, specifically affecting versions 8.0 through 8.18. The vulnerability resides in the setCreateTranslation function within the client/components/settings/translationBody.js file, part of the Custom Translation Handler component. This function improperly authorizes requests to create translations, allowing an attacker with limited privileges to remotely invoke this function and perform unauthorized translation creation actions. Since the vulnerability is remotely exploitable without user interaction and requires only limited privileges, it could be leveraged by an attacker who has some level of access to the application but is not fully privileged. The improper authorization could lead to unauthorized changes in the translation settings or data, potentially impacting the integrity and confidentiality of localized content within the application. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity due to its limited impact scope and the requirement for some privileges. The issue was addressed in WeKan version 8.19 by correcting the authorization checks in the affected function, as identified by patch f244a43771f6ebf40218b83b9f46dba6b940d7de. No public exploits have been reported, but the vulnerability should be considered a risk for organizations relying on WeKan for collaboration and project management.

For European organizations using WeKan versions 8.0 through 8.18, this vulnerability could allow attackers with limited access to perform unauthorized translation creation actions, potentially leading to unauthorized modifications of localized content or settings. This could undermine the integrity of project management data, cause confusion among users due to incorrect translations, and potentially expose sensitive information if translation data includes confidential content. While the vulnerability does not directly lead to full system compromise or data exfiltration, it weakens the authorization model and could be a stepping stone for further attacks within the application environment. Organizations relying on WeKan for critical workflows may experience disruption or data integrity issues. The remote exploitability without user interaction increases the risk, especially in multi-tenant or externally accessible deployments. However, the lack of known exploits in the wild and the medium severity rating suggest the immediate risk is moderate but should not be ignored.

The primary mitigation is to upgrade WeKan installations to version 8.19 or later, where the authorization flaw has been fixed. Organizations should verify their current WeKan version and plan immediate patching to eliminate the vulnerability. Additionally, review and restrict user privileges within WeKan to the minimum necessary, limiting access to translation management features only to trusted users. Implement network segmentation and access controls to reduce exposure of WeKan instances to untrusted networks. Monitor application logs for unusual translation creation activities that could indicate exploitation attempts. If upgrading immediately is not feasible, consider temporarily disabling or restricting access to the translation management features as a workaround. Regularly audit user roles and permissions to ensure adherence to the principle of least privilege. Finally, maintain an incident response plan to quickly address any suspicious activity related to WeKan.