Skip to main content

Wekan CVE-2026-55234

HIGH
Improper Access Control (CWE-284)
2026-07-15 GitHub_M
8.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
vuln.today AI
8.5 HIGH

Authenticated user with write access to one board gives PR:L; network DDP endpoint and simple modifier give AV:N/AC:L; crossing into an unauthorized board is a scope change (S:C) with integrity injection (I:H) and no read (C:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 22:04 vuln.today
Analysis Generated
Jul 15, 2026 - 22:04 vuln.today
CVE Published
Jul 15, 2026 - 21:13 cve.org
HIGH 8.5

DescriptionCVE.org

Wekan is open source kanban built with Meteor. Prior to 9.37, Wekan DDP update allow rules in server/permissions/cards.js, server/permissions/lists.js, and server/permissions/swimlanes.js authorize against the stored source boardId and do not validate a new boardId in the update modifier. Any authenticated user with write access to their own board can call /cards/update, /lists/update, or /swimlanes/update to move cards, lists, or swimlanes into a private board they are not a member of. This issue is fixed in version 9.37.

AnalysisAI

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Wekan with own writable board
Delivery
Craft DDP /cards/update with new boardId in $set
Exploit
Source-board allow rule approves the write
Execution
Card/list/swimlane relocated into victim's private board
Impact
Unauthorized content injected across board boundary

Vulnerability AssessmentAI

Exploitation The attacker must be an authenticated Wekan user (PR:L) who has write access to at least one board they control, and must issue a raw DDP update to /cards/update, /lists/update, or /swimlanes/update with a new destination boardId placed in the update modifier's $set. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L, base 8.5) is internally consistent with the description: network-reachable DDP endpoint, low complexity, low privileges (an ordinary authenticated user with one writable board), no user interaction, and a scope change because the impact crosses into a board outside the attacker's authorization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a normal Wekan account and creates or is granted write access to their own board. Using a crafted DDP call to /cards/update (or /lists/update, /swimlanes/update) they set a new boardId in the update modifier pointing at a private board they are not a member of; the source-board-only allow check passes and the card/list/swimlane is relocated into the victim's private board. …
Remediation Vendor-released patch: upgrade Wekan to version 9.37 or later (https://github.com/wekan/wekan/releases/tag/v9.37), which introduces the denyCrossBoardMove deny rule enforcing write access on the destination board for Cards, Lists, and Swimlanes updates; this is the primary and complete fix per advisory GHSA-gm7v-pc38-53jr. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Wekan deployments in your environment and classify which boards store confidential or business-critical data; document current user permissions and assess exposure scope if the vulnerability were exploited. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

CVE-2026-30846 HIGH
7.5 Mar 06

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication toke

Share

CVE-2026-55234 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy