Coordinated Disclosure Timeline

• 2026-02-12: Reported issue to maintainer
• 2026-02-19: Issue fixed in v8.34

Summary

The Wekan project version v8.31.0 is affected by a vulnerability (GHSL-2026-036) involving a webhook token leak through the pubsub mechanism, potentially exposing sensitive tokens and enabling unauthorized access or actions.

Project

Wekan

Tested Version

v8.31.0

Details

Webhook token leak via pubsub (GHSL-2026-036)

The board composite publication at line 228 publishes ALL integrations for a board with no field filtering:

find(board) {
  return ReactiveCache.getIntegrations({ boardId: board._id }, {}, true);
}

This leads to the publication of the following sensitive fields:

• url (line 38-44): webhook URL
• token (line 45-51): webhook authentication token

As board publications are accessible to:

• All board members regardless of role (including read-only, comment-only, worker, assigned-only roles)
• For public boards, ANY user including unauthenticated DDP clients This allows any user that can access and watch a board to retrieve the authentication token and the URL of the webhook associated with the board and allows unauthenticated use of those webhooks.

Impact

This issue may lead to webhook token leak, which may result in unauthenticated use of the webhooks.

Credit

This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2026-036 in any communication regarding this issue.