Vulnerability-Lookup

CVE-2026-30847 (GCVE-0-2026-30847)

Vulnerability from cvelistv5 – Published: 2026-03-06 19:37 – Updated: 2026-03-09 20:34

Title

Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens

Summary

Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and any stored OAuth tokens. Unlike Meteor's default auto-publication which strips the services field for security, custom publications return whatever fields the cursor contains, meaning all subscribers receive the complete user documents. Any authenticated user who triggers this publication can harvest credentials and active session tokens for other users, enabling password cracking, session hijacking, and full account takeover. This issue has been fixed in version 8.34.

Severity ?

9.3 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:H

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
CWE-285 - Improper Authorization

Assigner

GitHub_M

References

URL

Tags

	https://securitylab.github.com/advisories/GHSL-20…	x_refsource_CONFIRM
	https://github.com/wekan/wekan/commit/1c8667eae8b…	x_refsource_MISC
	https://github.com/wekan/wekan/releases/tag/v8.34	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Wekan	Wekan	Affected: >= 8.31.0, < 8.34

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-30847",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-09T20:24:37.252518Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-09T20:34:19.842Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Wekan",
          "vendor": "Wekan",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 8.31.0, \u003c 8.34"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and any stored OAuth tokens. Unlike Meteor\u0027s default auto-publication which strips the services field for security, custom publications return whatever fields the cursor contains, meaning all subscribers receive the complete user documents. Any authenticated user who triggers this publication can harvest credentials and active session tokens for other users, enabling password cracking, session hijacking, and full account takeover. This issue has been fixed in version 8.34."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "LOW",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285: Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-06T19:37:19.337Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://securitylab.github.com/advisories/GHSL-2026-035_Wekan/",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://securitylab.github.com/advisories/GHSL-2026-035_Wekan/"
        },
        {
          "name": "https://github.com/wekan/wekan/commit/1c8667eae8b28739e43569b612ffdb2693c6b1ce",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/commit/1c8667eae8b28739e43569b612ffdb2693c6b1ce"
        },
        {
          "name": "https://github.com/wekan/wekan/releases/tag/v8.34",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/wekan/wekan/releases/tag/v8.34"
        }
      ],
      "source": {
        "advisory": "GHSA-q83p-q5qr-cm7g",
        "discovery": "UNKNOWN"
      },
      "title": "Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-30847",
    "datePublished": "2026-03-06T19:37:19.337Z",
    "dateReserved": "2026-03-05T21:27:35.341Z",
    "dateUpdated": "2026-03-09T20:34:19.842Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-30847\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T20:16:17.530\",\"lastModified\":\"2026-03-11T14:22:57.470\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and any stored OAuth tokens. Unlike Meteor\u0027s default auto-publication which strips the services field for security, custom publications return whatever fields the cursor contains, meaning all subscribers receive the complete user documents. Any authenticated user who triggers this publication can harvest credentials and active session tokens for other users, enabling password cracking, session hijacking, and full account takeover. This issue has been fixed in version 8.34.\"},{\"lang\":\"es\",\"value\":\"Wekan es una herramienta kanban de c\u00f3digo abierto construida con Meteor. En las versiones 8.31.0 a la 8.33, la publicaci\u00f3n notificationUsers en Wekan publica documentos de usuario sin filtrar campos, lo que provoca que la llamada a ReactiveCache.getUsers() devuelva todos los campos, incluyendo datos altamente sensibles como hashes de contrase\u00f1a bcrypt, tokens de inicio de sesi\u00f3n de sesi\u00f3n activa, tokens de verificaci\u00f3n de correo electr\u00f3nico, direcciones de correo electr\u00f3nico completas y cualquier token OAuth almacenado. A diferencia de la auto-publicaci\u00f3n predeterminada de Meteor, que elimina el campo services por seguridad, las publicaciones personalizadas devuelven todos los campos que contiene el cursor, lo que significa que todos los suscriptores reciben los documentos de usuario completos. Cualquier usuario autenticado que active esta publicaci\u00f3n puede recolectar credenciales y tokens de sesi\u00f3n activa de otros usuarios, lo que permite el cracking de contrase\u00f1as, el secuestro de sesi\u00f3n y la toma de control total de la cuenta. Este problema ha sido solucionado en la versi\u00f3n 8.34.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"},{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.31\",\"versionEndExcluding\":\"8.33\",\"matchCriteriaId\":\"82F22D3F-FA6B-485B-94AE-266CD62CC379\"}]}]}],\"references\":[{\"url\":\"https://github.com/wekan/wekan/commit/1c8667eae8b28739e43569b612ffdb2693c6b1ce\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/wekan/wekan/releases/tag/v8.34\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://securitylab.github.com/advisories/GHSL-2026-035_Wekan/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Wekan Credential Leak via notificationUsers Publication Exposes Password Hashes and Session Tokens\", \"problemTypes\": [{\"descriptions\": [{\"cweId\": \"CWE-200\", \"lang\": \"en\", \"description\": \"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor\", \"type\": \"CWE\"}]}, {\"descriptions\": [{\"cweId\": \"CWE-285\", \"lang\": \"en\", \"description\": \"CWE-285: Improper Authorization\", \"type\": \"CWE\"}]}], \"metrics\": [{\"cvssV4_0\": {\"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"baseScore\": 9.3, \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:H/SA:H\", \"version\": \"4.0\"}}], \"references\": [{\"name\": \"https://securitylab.github.com/advisories/GHSL-2026-035_Wekan/\", \"tags\": [\"x_refsource_CONFIRM\"], \"url\": \"https://securitylab.github.com/advisories/GHSL-2026-035_Wekan/\"}, {\"name\": \"https://github.com/wekan/wekan/commit/1c8667eae8b28739e43569b612ffdb2693c6b1ce\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/wekan/wekan/commit/1c8667eae8b28739e43569b612ffdb2693c6b1ce\"}, {\"name\": \"https://github.com/wekan/wekan/releases/tag/v8.34\", \"tags\": [\"x_refsource_MISC\"], \"url\": \"https://github.com/wekan/wekan/releases/tag/v8.34\"}], \"affected\": [{\"vendor\": \"Wekan\", \"product\": \"Wekan\", \"versions\": [{\"version\": \"\u003e= 8.31.0, \u003c 8.34\", \"status\": \"affected\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T19:37:19.337Z\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Wekan is an open source kanban tool built with Meteor. In versions 8.31.0 through 8.33, the notificationUsers publication in Wekan publishes user documents with no field filtering, causing the ReactiveCache.getUsers() call to return all fields including highly sensitive data such as bcrypt password hashes, active session login tokens, email verification tokens, full email addresses, and any stored OAuth tokens. Unlike Meteor\u0027s default auto-publication which strips the services field for security, custom publications return whatever fields the cursor contains, meaning all subscribers receive the complete user documents. Any authenticated user who triggers this publication can harvest credentials and active session tokens for other users, enabling password cracking, session hijacking, and full account takeover. This issue has been fixed in version 8.34.\"}], \"source\": {\"advisory\": \"GHSA-q83p-q5qr-cm7g\", \"discovery\": \"UNKNOWN\"}}, \"adp\": [{\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-30847\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-09T20:24:37.252518Z\"}}}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-09T20:26:55.584Z\"}, \"title\": \"CISA ADP Vulnrichment\"}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-30847\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"state\": \"PUBLISHED\", \"assignerShortName\": \"GitHub_M\", \"dateReserved\": \"2026-03-05T21:27:35.341Z\", \"datePublished\": \"2026-03-06T19:37:19.337Z\", \"dateUpdated\": \"2026-03-06T19:37:19.337Z\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-30847

Vulnerability from fkie_nvd - Published: 2026-03-06 20:16 - Updated: 2026-03-11 14:22

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N