Skip to main content

Wekan CVE-2026-53445

HIGH
Missing Authorization (CWE-862)
2026-07-15 GitHub_M
7.1
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Any authenticated user exploits over the network with no interaction (PR:L, AV:N, AC:L, UI:N); full read of private board content gives C:H, cloning yields minor I:L, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 22:02 vuln.today
Analysis Generated
Jul 15, 2026 - 22:02 vuln.today
CVE Published
Jul 15, 2026 - 21:11 cve.org
HIGH 7.1

DescriptionCVE.org

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.userId, membership, or admin access. Any authenticated user can copy a private board they are not a member of, including its cards, checklists, custom fields, labels, and rules, while the REST POST /api/boards/:boardId/copy path correctly checks board admin access. This issue is fixed in version 9.32.

AnalysisAI

Broken access control in Wekan's open-source kanban server (all releases prior to 9.32) lets any authenticated user copy a private board they have no membership in. The vulnerable copyBoard Meteor DDP method in server/publications/boards.js accepts a caller-supplied board ID without verifying this.userId, membership, or admin rights, so an attacker can exfiltrate the board's cards, checklists, custom fields, labels, and rules into a board they own. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Wekan instance
Delivery
Obtain target private board ID
Exploit
Invoke copyBoard DDP method directly
Execution
Bypass missing membership/admin check
Persist
Clone private board into attacker-owned board
Impact
Read exfiltrated cards, custom fields, and rules

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated Wekan account (PR:L) with network access to the DDP/WebSocket interface, and knowledge of the target's board ID (exposed in URLs and API responses, making it easily obtainable or enumerable). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score is 7.1 (High) with vector AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N - network-reachable, low complexity, requiring only low privileges (any authenticated account) and no user interaction, with high confidentiality impact and low integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a low-privilege account on a shared Wekan instance, obtains or guesses the ID of a private board owned by another team (board IDs appear in URLs and API responses), and invokes the copyBoard DDP method with that ID. Because the method never checks membership or admin rights, the server clones the entire private board - including sensitive cards, custom fields, and rules - into a board the attacker controls, giving them full read access. …
Remediation Vendor-released patch: upgrade to Wekan 9.32 or later, which adds a board.hasAdmin(this.userId) authorization check to the copyBoard DDP method (see release https://github.com/wekan/wekan/releases/tag/v9.32 and advisory https://github.com/wekan/wekan/security/advisories/GHSA-7w2h-g83c-jqrp). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, inventory all Wekan instances and identify those containing sensitive data; enable audit logging for board operations and copy activities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

Share

CVE-2026-53445 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy