External risk intelligence

Wekan Avatar Upload Command Injection

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-52891

Wekan is a web-based kanban application designed to be accessed over a network. As a collaborative project management tool, it is commonly deployed as a web application accessible to users, often making its interfaces and features, such as avatar uploads, reachable via the internet or wide internal networks.

OS Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability found in the Wekan kanban application that could allow unauthorized command execution on the server. The issue arises from how user-supplied filenames are processed during avatar uploads, potentially enabling attackers to run malicious code. Leadership should be aware of this as it impacts a widely used collaboration tool and could have significant security implications if exploited.

  • User uploads can run server commands.
  • Critical vulnerability in a collaborative tool.
  • Confirm relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by uploading a specially crafted avatar file. The application uses user-supplied filenames in commands that execute on the server, allowing an attacker to run arbitrary code. This could lead to a compromise of the server.

  • Attacker uploads a malicious file.
  • Application processes filename in server command.
  • Server compromise through code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary commands on the server when a user uploads a specially crafted avatar file. This could affect the integrity and availability of the Wekan service and the underlying server, when supported by the advisory.

  • Server-side commands could be executed.
  • Malicious filenames could trigger command execution.
  • Compromised service availability and integrity.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-World Ownership Platform or application teams are likely responsible for Wekan, given its nature as a self-hosted Kanban tool. The first critical step is to identify all Wekan instances, determine their exposure (internal vs. external), and confirm their business criticality. Once ownership is confirmed, plan remediation based on the assessed risk, coordinating with vendor management if applicable.

  • Identify Wekan instances and ownership.
  • Verify exposure and business criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Wekan and what is it used for?

Wekan is an open-source, web-based kanban board application built on the Meteor framework. Organizations and teams use it to manage projects and tasks visually in a collaborative environment. Because it is self-hosted, it allows teams to keep their task data on their own infrastructure while providing features like file attachments and user profile customization, such as avatar uploads.

What is the vulnerability in CVE-2026-52891?

This is a command injection vulnerability, specifically categorized under CWE-78 and CWE-88. It occurs when the software takes a user-provided avatar filename and passes it directly into a system shell command without sufficient validation. Because the shell interprets certain characters as commands, an attacker can insert malicious instructions into the filename, forcing the underlying server to execute unauthorized code.

How does an attacker trigger this command injection?

An attacker triggers the issue by uploading an avatar file with a specially crafted name containing shell metacharacters, such as backticks or dollar signs. The vulnerability is tied specifically to the avatar upload process; simply navigating the kanban board or viewing existing cards without performing an upload does not trigger the execution of these malicious commands.

Who should be concerned about this Wekan vulnerability?

Teams hosting Wekan should prioritize this issue because the application is designed for network access. According to Halo Surface Signal, Wekan is typically deployed as a web application reachable over the internet or wide internal networks, making it a potential target for remote attackers. Anyone responsible for maintaining a Wekan instance where users can upload files is at risk if they have not yet updated their software.

How do I secure my Wekan installation?

The primary response is to upgrade your Wekan instance to version 9.07 or later. This update addresses the insecure handling of filenames during avatar processing. If you cannot update immediately, identify all running instances to determine their network reachability and business impact. Once identified, prioritize the upgrade process for any instances exposed to untrusted users or the broader network to mitigate the risk of unauthorized server command execution.

References