Skip to main content

Wekan CVE-2026-59154

| EUVDEUVD-2026-42935 MEDIUM
Incorrect Authorization (CWE-863)
2026-07-10 GitHub_M
4.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

PR:L confirmed by requirement for authenticated write access to a board; C:N because attacker cannot read private content; I:L for unauthorized data injection into restricted boards only.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 10, 2026 - 18:01 EUVD
Analysis Generated
Jul 10, 2026 - 17:11 vuln.today

DescriptionCVE.org

Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64.

AnalysisAI

Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Wekan with low-privileged account
Delivery
Enumerate or obtain target private card ID
Exploit
Create checklist item on attacker-accessible card
Execution
Craft DDP update modifier with destination private cardId/boardId
Persist
Source-only allow rule passes authorization check
Impact
Checklist data written to private board without membership

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) an authenticated Wekan user account with write access to at least one board on the target Wekan instance; (2) prior knowledge of a valid card ID belonging to a card on a private board the attacker is not a member of - this card ID must be obtained through separate means such as prior board membership, social engineering, or another information disclosure path; (3) the ability to send crafted Meteor DDP WebSocket messages, achievable through browser developer tools or a DDP client library, requiring no special tooling. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.3 (Medium) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N is a reasonable characterization of a constrained impact: only integrity is degraded (unauthorized checklist data written to a private board), with no confidentiality or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Wekan user with write access to a shared project board discovers the card ID of a card on a confidential executive planning board (obtained via prior access, a leaked URL, or enumeration) and crafts a Meteor DDP update message that creates a ChecklistItem on one of their own accessible cards while embedding the private board's cardId as the destination in the update modifier. The allow rule passes because the source authorization check succeeds, and Wekan writes the checklist data to the private board - potentially contaminating or polluting it with attacker-controlled content without the private board's members being aware of the unauthorized write.
Remediation Upgrade Wekan to version 9.64 or later, which corrects the Meteor collection allow rules to validate both the source and destination cardId and boardId before permitting any checklist mutation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

Share

CVE-2026-59154 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy