Wekan 8.31.0 – 8.33 Meteor DDP notificationUsers Sensitive Data Exposure (CVE-2026-30847)
A sensitive data exposure vulnerability in Wekan versions 8.31.0 through 8.33 allows any authenticated user to subscribe to the Meteor DDP publication "notificationUsers" and retrieve sensitive user documents including bcrypt password hashes, login session tokens, and email information due to missing authorization and field projection.