Wekan
CVE-2026-55234
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
Authenticated user with write access to one board gives PR:L; network DDP endpoint and simple modifier give AV:N/AC:L; crossing into an unauthorized board is a scope change (S:C) with integrity injection (I:H) and no read (C:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
Wekan is open source kanban built with Meteor. Prior to 9.37, Wekan DDP update allow rules in server/permissions/cards.js, server/permissions/lists.js, and server/permissions/swimlanes.js authorize against the stored source boardId and do not validate a new boardId in the update modifier. Any authenticated user with write access to their own board can call /cards/update, /lists/update, or /swimlanes/update to move cards, lists, or swimlanes into a private board they are not a member of. This issue is fixed in version 9.37.
AnalysisAI
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must be an authenticated Wekan user (PR:L) who has write access to at least one board they control, and must issue a raw DDP update to /cards/update, /lists/update, or /swimlanes/update with a new destination boardId placed in the update modifier's $set. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L, base 8.5) is internally consistent with the description: network-reachable DDP endpoint, low complexity, low privileges (an ordinary authenticated user with one writable board), no user interaction, and a scope change because the impact crosses into a board outside the attacker's authorization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or already holds a normal Wekan account and creates or is granted write access to their own board. Using a crafted DDP call to /cards/update (or /lists/update, /swimlanes/update) they set a new boardId in the update modifier pointing at a private board they are not a member of; the source-board-only allow check passes and the card/list/swimlane is relocated into the victim's private board. … |
| Remediation | Vendor-released patch: upgrade Wekan to version 9.37 or later (https://github.com/wekan/wekan/releases/tag/v9.37), which introduces the denyCrossBoardMove deny rule enforcing write access on the destination board for Cards, Lists, and Swimlanes updates; this is the primary and complete fix per advisory GHSA-gm7v-pc38-53jr. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, identify all Wekan deployments in your environment and classify which boards store confidential or business-critical data; document current user permissions and assess exposure scope if the vulnerability were exploited. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t
OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o
Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication toke
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today