WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control_CVE-2026-1898

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

Description

A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to mitigate this issue. Patch name: 146905a459106b5d00b4f09453a6554255e6965a. You should upgrade the affected component.

Basic Information

ID CVE-2026-1898

Source VulDB

Published Feb 5, 2026 at 00:32

Affected Product

Vendor n/a

Product WeKan

Version 8.0

Affected Versions n/a WeKan 8.0
n/a WeKan 8.1
n/a WeKan 8.2
n/a WeKan 8.3
n/a WeKan 8.4
n/a WeKan 8.5
n/a WeKan 8.6
n/a WeKan 8.7
n/a WeKan 8.8
n/a WeKan 8.9
n/a WeKan 8.10
n/a WeKan 8.11
n/a WeKan 8.12
n/a WeKan 8.13
n/a WeKan 8.14
n/a WeKan 8.15
n/a WeKan 8.16
n/a WeKan 8.17
n/a WeKan 8.18
n/a WeKan 8.19
n/a WeKan 8.20

CWE Classification

CWE-284 CWE-266

References

{
    "lastseen": "",
    "description": "A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to mitigate this issue. Patch name: 146905a459106b5d00b4f09453a6554255e6965a. You should upgrade the affected component.",
    "published": "2026-02-05T00:32:09.720Z",
    "modified": "2026-02-05T00:32:09.720Z",
    "type": "cve",
    "title": "WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control",
    "source": "VulDB",
    "references": "https://vuldb.com/?id.344270\nhttps://vuldb.com/?ctiid.344270\nhttps://vuldb.com/?submit.742676\nhttps://github.com/wekan/wekan/commit/146905a459106b5d00b4f09453a6554255e6965a\nhttps://github.com/wekan/wekan/releases/tag/v8.21\nhttps://github.com/wekan/wekan/",
    "id": "CVE-2026-1898",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284",
        "CWE-266"
    ],
    "cvelist": null,
    "sourceData": "n/a WeKan 8.0\nn/a WeKan 8.1\nn/a WeKan 8.2\nn/a WeKan 8.3\nn/a WeKan 8.4\nn/a WeKan 8.5\nn/a WeKan 8.6\nn/a WeKan 8.7\nn/a WeKan 8.8\nn/a WeKan 8.9\nn/a WeKan 8.10\nn/a WeKan 8.11\nn/a WeKan 8.12\nn/a WeKan 8.13\nn/a WeKan 8.14\nn/a WeKan 8.15\nn/a WeKan 8.16\nn/a WeKan 8.17\nn/a WeKan 8.18\nn/a WeKan 8.19\nn/a WeKan 8.20",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WeKan",
    "version": "8.0",
    "vendor": "n/a",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}