A vulnerability labeled as critical has been found in Wekan up to 9.30. Affected by this issue is the function
getReadStream of the file server/permissions/attachments.js of the component Attachments. Such manipulation of the argument versions.original.path/versions.original.storage leads to path traversal.
This vulnerability is traded as CVE-2026-52890. The attack may be launched remotely. There is no exploit available.