Skip to main content

Wekan CVE-2026-55652

CRITICAL
Improper Authentication (CWE-287)
2026-07-15 GitHub_M
9.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Reachable over the network with a single spoofed header and no auth or interaction (AV:N/AC:L/PR:N/UI:N); admin takeover yields full C/I/A, presuming the non-default header-login feature is enabled.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jul 15, 2026 - 22:05 vuln.today
Analysis Generated
Jul 15, 2026 - 22:05 vuln.today
CVE Published
Jul 15, 2026 - 21:15 cve.org
CRITICAL 9.8

DescriptionCVE.org

Wekan is open source kanban built with Meteor. Prior to 9.46, header-login with HEADER_LOGIN_TRUSTED_IPS uses getRequestIp() in server/lib/headerLoginAuth.js to trust the client-supplied X-Forwarded-For header before the real socket address, allowing an unauthenticated attacker to send HEADER_LOGIN_ID for any username and receive a meteor_login_token session, including for admin. This issue is fixed in version 9.46.

AnalysisAI

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker impersonate any account, including admin. The header-login feature's getRequestIp() in server/lib/headerLoginAuth.js trusts the client-supplied X-Forwarded-For header instead of the real TCP socket peer, so an attacker who can reach the HTTP port can spoof a trusted source IP and submit HEADER_LOGIN_ID for any username to receive a valid meteor_login_token session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Wekan HTTP port directly
Delivery
Craft request spoofing X-Forwarded-For
Exploit
Set HEADER_LOGIN_ID header to 'admin'
Execution
Server trusts forwarded IP, accepts identity
Persist
Receive meteor_login_token session
Impact
Full admin account takeover

Vulnerability AssessmentAI

Exploitation Requires a Wekan version prior to 9.46 AND header login enabled (HEADER_LOGIN_ID set to an identity header name); this SSO feature is off by default, which is the primary limiting factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, 9.8) reflects a worst-case network, unauthenticated, low-complexity full compromise, and the mechanics support that severity: spoofing a single HTTP header yields an admin session. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario On a pre-9.46 Wekan instance with header login enabled, an attacker who can reach the HTTP port sends a request setting X-Forwarded-For to an IP the server treats as trusted (or exploits the empty-allowlist 'trust all' default) together with the identity header HEADER_LOGIN_ID set to 'admin'. Wekan mistakes the spoofed forwarded IP for the real source, accepts the header identity, and returns a meteor_login_token, granting an authenticated admin session without any credentials. …
Remediation Vendor-released patch: 9.46 - upgrade Wekan to v9.46 or later (https://github.com/wekan/wekan/releases/tag/v9.46), which reads the source IP from the real TCP socket peer and fails closed when HEADER_LOGIN_TRUSTED_IPS is empty. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Wekan deployments and their current versions; for instances running versions prior to 9.46, immediately implement network-level controls restricting HTTP access to trusted internal sources only and disable the header-login authentication feature if operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

CVE-2026-30846 HIGH
7.5 Mar 06

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication toke

Share

CVE-2026-55652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy