Wekan: Arbitrary File Read & DoS

A self-registered board user in Wekan can read arbitrary files via the attachment field versions.original.path and crash the server.

Advisory ID: TP-2026-004
Product: Wekan (open-source kanban board)
Vulnerability type: Path traversal (CWE-22) + uncontrolled resource consumption (CWE-400)
CVE: pending
CVSS 3.1: 7.1 (High)
Vendor advisory: GHSA-g6vm-7757-pr88
Fixed in: 9.31
Reported: 30 May 2026

Summary

Wekan is a widely used open-source kanban board. When creating attachments, authorization only checks board write access, not the versions object supplied by the client. A self-registered board member can therefore insert an attachment whose versions.original.path points to any absolute file and, with storage: "fs", forces a filesystem read. turingpoint verified against a running instance that this reads any file readable by the server process and crashes the server on demand.

Root cause

getReadStream() reads originalPath = v.path directly, with no containment check against the storage root (models/lib/fileStoreStrategy.js:334-335,383-389). getFileStrategy selects the storage backend from the attacker-set versions[version].storage, so storage:"fs" forces a filesystem read (fileStoreStrategy.js:76-78). The Attachments.allow({insert}) rule only checks board write access and never inspects the inserted versions object (server/permissions/attachments.js:6-9). The sibling update rule blocks versions.*.path writes with the comment "block direct client-side $set operations on 'versions.*.path' to prevent path traversal attacks", but the insert path lacks that guard (server/permissions/attachments.js:10-22). api.attachment.download buffers the entire read stream with no size limit, so a path of /dev/zero exhausts memory (server/attachmentApi.js:117-173).

Proof of Concept

Since registration is open by default, a self-created account with a public board is enough:

// 1) Insert an attachment with an absolute path
{ "name": "x.txt",
  "versions": { "original": { "path": "/proc/self/environ",
    "storage": "fs", "type": "text/plain", "size": 4096, "meta": {} } },
  "meta": { "boardId": "<board-id>", "source": "x" } }

// 2) Retrieve the file
GET /cdn/storage/attachments/<attachment-id>

The set storage:"fs" forces a filesystem read, exposing any file readable by the server process, for example /proc/self/environ with the MONGO_URL. If the path instead points to /dev/zero, the server process crashes (denial of service).

Impact

  • Read of any file readable by the server process (uid 999): environment variables, MONGO_URL, credentials.
  • MONGO_URL disclosure yields the database connection string; default MongoDB has no authentication.
  • Repeatable denial of service: a /dev/zero path crashes the server process on every call.
  • Exploitable by a self-registered user with no admin rights.

References

Is Something Like This in Your Software?

Our team found this vulnerability in the course of its work. Have your applications tested by the same specialists, with a penetration test from turingpoint.

Request a Pentest