Skip to main content

Wekan

47 CVEs product

Monthly

CVE-2026-55652 CRITICAL Act Now

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker impersonate any account, including admin. The header-login feature's getRequestIp() in server/lib/headerLoginAuth.js trusts the client-supplied X-Forwarded-For header instead of the real TCP socket peer, so an attacker who can reach the HTTP port can spoof a trusted source IP and submit HEADER_LOGIN_ID for any username to receive a valid meteor_login_token session. Tracked by the vendor as 'ProxyBleed' (GHSA-jggc-qvfc-jr6x); CVSS 9.8. No public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
9.8
CVE-2026-55234 HIGH This Week

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. No public exploit identified at time of analysis, but the fixing commit and advisory publicly document the exact bypass, lowering the barrier to reproduction.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
8.5
CVE-2026-53447 MEDIUM This Month

Unauthorized full-board read access in Wekan prior to v9.35 allows any authenticated user to exfiltrate the entire contents of any private board - cards, comments, attachments, member lists, and activity logs - by calling the `cloneBoard` Meteor method with an arbitrary board ID. The root cause is that `models/import.js` invokes the board exporter directly without calling `canExport()` or verifying source-board membership, the same guard correctly applied by the REST export route. No public exploit code has been identified at time of analysis, but the attack requires only a valid account and knowledge of a target board's ID, making it trivially reproducible by any developer familiar with the Meteor DDP protocol.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
6.5
CVE-2026-52893 CRITICAL Act Now

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider account asserting a victim's email or username to hijack the victim's existing Wekan account. The vulnerable Accounts.onCreateUser hook in server/models/users.js merged incoming OIDC identities into any local account whose email OR username matched, without verifying ownership or checking email_verified, letting the attacker inherit the victim's boards, attachments, API tokens, and admin status. No public exploit identified at time of analysis, but the fix is confirmed in version 9.32 and the flaw carries a CVSS 4.0 base score of 9.2 (critical).

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
9.2
CVE-2026-53444 HIGH This Week

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-only Meteor methods that lack the admin authorization checks applied to their non-OIDC counterparts. By calling setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin over DDP, a low-privileged user can create or modify organizations and teams, and - when PROPAGATE_OIDC_DATA is enabled - groupRoutineOnLogin can grant that user global admin. No public exploit identified at time of analysis; the vendor fix (v9.32) is confirmed and the flaw carries a CVSS 4.0 base score of 7.6.

Privilege Escalation Wekan
NVD GitHub
CVSS 4.0
7.6
CVE-2026-53445 HIGH This Week

Broken access control in Wekan's open-source kanban server (all releases prior to 9.32) lets any authenticated user copy a private board they have no membership in. The vulnerable copyBoard Meteor DDP method in server/publications/boards.js accepts a caller-supplied board ID without verifying this.userId, membership, or admin rights, so an attacker can exfiltrate the board's cards, checklists, custom fields, labels, and rules into a board they own. No public exploit identified at time of analysis; the flaw is authenticated-only (PR:L) with an EPSS/KEV signal absent from the input.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
7.1
CVE-2026-53446 MEDIUM This Month

Server-side request forgery in Wekan's webhook integration feature allows board administrators to register malicious webhook URLs that the Wekan server later fetches without private-network validation, enabling unauthorized access to internal services and cloud metadata endpoints. All Wekan deployments prior to version 9.32 are affected; the root cause is that the existing validateAttachmentUrl() guard present in models/lib/attachmentUrlValidation.js was never wired into the webhook creation and update API paths. No public exploit has been identified and this is not listed in CISA KEV, but cloud-hosted Wekan instances face meaningful credential theft risk via cloud metadata service access.

SSRF Wekan
NVD GitHub
CVSS 4.0
6.2
CVE-2026-52892 MEDIUM This Month

Incorrect authorization in Wekan's REST API (all versions prior to 9.32) permits any read-only board member to invoke write-level operations - creating, modifying, or deleting custom fields and dropdown items - on boards they should only be able to view. Six route handlers in server/models/customFields.js apply the read-level checkBoardAccess guard to mutating HTTP methods (POST, PUT, DELETE), instead of the write-level checkBoardWriteAccess. No public exploit or CISA KEV listing has been identified at time of analysis, but the logic flaw is straightforward to exploit by any authenticated board member with API access.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
6.5
CVE-2026-52891 CRITICAL Act Now

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user execute arbitrary commands on the server by uploading an avatar with shell metacharacters in its filename. The user-supplied filename is embedded into a shell string passed to child_process.exec() for MIME-type detection in models/avatars.js and models/fileValidation.js, so backticks or $() in the name run as server-side commands. No public exploit is identified at time of analysis, but the vendor commit and advisory confirm the flaw; it is fixed in v9.07.

Command Injection Wekan
NVD GitHub
CVSS 3.1
9.9
CVE-2026-52890 HIGH This Week

Arbitrary file read and denial of service in Wekan (open-source Meteor kanban board) before version 9.31 allows an authenticated board member to read any file the server process can access by supplying attacker-controlled versions.original.path and versions.original.storage values to the /attachments/insert DDP method. Because the server-side insert permission rule only validates board write access and the filesystem store never confirms the path stays within the storage root, a low-privileged user can exfiltrate sensitive host files or hang the process by pointing at special files like /dev/zero. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a fixing commit and release (v9.31) are public.

Path Traversal Denial Of Service Wekan
NVD GitHub
CVSS 3.1
7.1
CVE-2026-59154 MEDIUM PATCH This Month

Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-41455 MEDIUM PATCH This Month

Server-side request forgery in WeKan before 8.35 allows authenticated users to create or modify webhook integrations with arbitrary URLs, enabling the server to issue HTTP POST requests to internal network addresses and attacker-controlled targets. The vulnerability additionally permits unauthorized modification of comment text through response handling, affecting systems where users have integration management privileges. No active exploitation has been confirmed at time of analysis.

SSRF Wekan
NVD GitHub
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-41454 HIGH PATCH This Week

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform administrative integration management without authorization checks. Attackers can enumerate webhook URLs and secrets, create/modify/delete integrations, and manipulate integration activities through unprotected REST API endpoints. CVSS 8.7 reflects high confidentiality and integrity impact with network attack vector and low complexity. VulnCheck reported this vulnerability with vendor patch available in version 8.35 and commit 2cd702f. EPSS data not available; no confirmed active exploitation or POC identified at time of analysis.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-30847 MEDIUM PATCH This Month

Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]

React Wekan
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30846 HIGH PATCH This Week

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.

Authentication Bypass Information Disclosure Wekan
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30845 HIGH PATCH This Week

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered publication of integration data, allowing any user with board access—including read-only members and users on public boards—to retrieve sensitive credentials. Attackers can leverage these exposed tokens to make unauthorized requests to connected external services and trigger unintended actions. The vulnerability affects Wekan's board composite publication mechanism and has been patched in version 8.34.

Information Disclosure Wekan
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-30844 HIGH PATCH This Week

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP requests by supplying malicious attachment URLs during board imports from JSON data or Trello. An attacker could exploit this to access internal network services, cloud metadata endpoints, or expose sensitive credentials without any URL validation occurring on the server side.

SSRF Wekan
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-30843 MEDIUM PATCH This Month

Wekan versions 8.32 and 8.33 allow authenticated users to modify custom fields across any board due to insufficient access validation in the custom fields API endpoints. An attacker with access to one board can exploit this Insecure Direct Object Reference vulnerability to manipulate custom fields on other boards by supplying foreign field IDs. A patch is available to address this authorization bypass.

Authentication Bypass Wekan
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2209 MEDIUM PATCH This Month

Wekan versions up to 8.18 contain an authorization bypass in the custom translation handler that allows authenticated users to manipulate translation settings they should not have access to. An attacker with valid credentials can exploit the setCreateTranslation function to gain unauthorized access to modify translations, potentially affecting application functionality and data integrity. The vulnerability has been patched in version 8.19 and users should upgrade immediately.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-2208 MEDIUM PATCH This Month

Wekan versions up to 8.20 contain an authorization bypass in the Rules Handler component that allows authenticated remote attackers to access unauthorized information through the rules.js file. The vulnerability requires valid credentials but no user interaction, enabling low-impact confidentiality breaches. Upgrading to version 8.21 resolves this issue.

Authentication Bypass Wekan
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2207 MEDIUM PATCH This Month

WeKan versions up to 8.20 contain an information disclosure vulnerability in the Activity Publication Handler that allows unauthenticated remote attackers to access sensitive data through manipulation of the activities.js file. The vulnerability requires no user interaction and can be exploited over the network with low complexity. Users should upgrade to version 8.21 or apply patch 91a936e07d2976d4246dfe834281c3aaa87f9503 to remediate this issue.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-2206 MEDIUM PATCH This Month

Improper access controls in WeKan's administrative repair handler (fixDuplicateLists.js) allow authenticated remote attackers to manipulate list data and gain unauthorized access to sensitive information. Affected versions through 8.20 can be remediated by upgrading to version 8.21 or applying the referenced patch.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-2205 MEDIUM PATCH This Month

WeKan versions up to 8.20 contain an information disclosure vulnerability in the Meteor Publication Handler's card publication mechanism that allows authenticated remote attackers to access sensitive data. The vulnerability requires valid credentials but no user interaction to exploit, and is resolved in version 8.21.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-25859 HIGH PATCH This Week

Broken authorization in Wekan versions prior to 8.20 lets any authenticated non-administrative user invoke board migration functionality that should be restricted to board administrators. Because permission checks on the migration methods (e.g. comprehensiveBoardMigration.execute) are insufficient, a low-privileged user can trigger unauthorized migration operations that mutate board structure and data. EPSS is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, but a vendor patch and fix commit are available.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25568 HIGH PATCH This Week

Authorization bypass in WeKan (self-hosted kanban board) versions prior to 8.19 lets an authenticated user create public boards even when the instance-wide allowPrivateOnly setting is enabled, because server-side enforcement of the visibility policy is incomplete at board-creation time. The flaw undermines an administrator's expectation that all boards remain private, potentially exposing board content beyond intended audiences. EPSS is low (0.03%, 9th percentile) with no public exploit identified at time of analysis and no CISA KEV listing; a vendor patch is available.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25567 MEDIUM PATCH This Month

Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 4.3).

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-25566 HIGH PATCH This Week

Improper authorization in WeKan's card-move API lets an authenticated low-privilege user relocate cards to boards, lists, and swimlanes they do not control, because the destination is trusted without verifying access rights or that the target objects belong to the destination board. All WeKan versions before 8.19 are affected; no public exploit is identified at time of analysis and EPSS is negligible (0.01%), but the fixing commit publicly documents the missing checks, lowering the bar to reproduce.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25565 HIGH PATCH This Week

Privilege escalation via broken authorization in WeKan (the open-source kanban board) before 8.19 lets users holding read-only board roles modify cards, lists, and swimlanes that should require write access. The flaw stems from card/list/swimlane update API routes calling a read-level access check instead of a write-level check, letting a low-privileged but authenticated member tamper with data they should only be able to view. There is no public exploit identified at time of analysis and EPSS is negligible (0.01%), but the fix is confirmed in an upstream commit and the CVSS 4.0 base score is 7.1.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25564 HIGH PATCH This Week

Cross-board data tampering in WeKan (open-source Trello-style kanban board) before version 8.19 lets an authenticated low-privileged user manipulate checklists on cards belonging to boards they should not access. The checklist creation, deletion, and related REST routes accept a cardId without confirming it belongs to the supplied boardId, so an attacker can forge identifiers to add or remove checklists on other users' cards. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but the vendor fix commit confirms the root cause and a straightforward exploitation path.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25563 HIGH PATCH This Week

Cross-board data tampering in WeKan (the open-source Trello-style kanban board) before version 8.19 lets an authenticated low-privilege user attach checklists to cards on boards they do not own by supplying a mismatched cardId/boardId pair. Because the checklist creation routes never confirm the card actually belongs to the referenced board, any logged-in user can manipulate identifiers to write into other users' boards. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.01%), but the fix is confirmed by an upstream vendor commit.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25562 MEDIUM PATCH This Month

Wekan versions before 8.19 fail to properly restrict attachment metadata visibility, allowing authenticated users to enumerate attachment information from boards and cards they should not have access to. This information disclosure vulnerability requires valid credentials and can expose sensitive metadata to unauthorized users across the platform. A patch is available.

Information Disclosure Wekan
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-25561 HIGH PATCH This Week

Improper authorization in the WeKan attachment upload API (versions prior to 8.19) lets an authenticated low-privileged user submit inconsistent object identifiers (boardId, cardId, swimlaneId, listId) that the server fails to cross-validate, allowing attachments to be associated with or moved across card/board relationships the user should not control. The affected component is the self-hosted open-source kanban platform WeKan; the fix (commit 1d16955b) adds server-side checks that a card actually belongs to the named board, swimlane, and list. No public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not in CISA KEV.

Authentication Bypass Wekan
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-25560 HIGH PATCH This Week

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and DN construction during login by supplying crafted usernames that are embedded into queries without escaping. Because the malicious input reaches the authentication path directly (CVSS 4.0 AV:N/PR:N/UI:N, base score 8.7), an attacker can tamper with the authentication logic to enumerate directory data or subvert the intended search filter. No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.05%), but a vendor patch (commit 0b0e16c) is available.

LDAP Wekan Code Injection
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-1964 MEDIUM PATCH This Month

Improper access controls in Wekan's REST API endpoint (models/boards.js) prior to version 8.21 allow authenticated users to modify resources they should not have permission to access. The vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated attacker with network access. Administrators should upgrade to version 8.21 or later to remediate this issue.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-1963 MEDIUM PATCH This Month

Improper access controls in Wekan's attachment storage mechanism (models/attachments.js) up to version 8.20 allow authenticated remote attackers to gain unauthorized access to sensitive data and modify attachments. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete attachments they should not have permission to access. Upgrading to version 8.21 or later resolves this issue.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1962 MEDIUM PATCH This Month

Improper access controls in Wekan's attachment migration component allow authenticated remote attackers to read, modify, or disrupt service functionality. The vulnerability affects Wekan versions up to 8.20 and requires valid user credentials to exploit. Users should upgrade to version 8.21 or later to remediate this issue.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1898 MEDIUM PATCH This Month

Improper access controls in WeKan's LDAP user synchronization component (versions up to 8.20) allow authenticated remote attackers to gain unauthorized access to sensitive information or modify data with low complexity. The vulnerability affects the LDAP User Sync functionality in packages/wekan-ldap/server/syncUser.js and requires valid credentials to exploit. WeKan 8.21 and later address this issue and should be deployed immediately.

LDAP Wekan
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1897 MEDIUM PATCH This Month

WeKan versions up to 8.20 contain an authorization bypass in the position history tracking functionality that allows authenticated remote attackers to access sensitive information without proper permissions. The vulnerability exists in the server/methods/positionHistory.js file and can be exploited by any user with login credentials. Upgrading to version 8.21 or later resolves this issue.

Authentication Bypass Wekan
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-1896 MEDIUM PATCH This Month

Improper access control in Wekan's board migration function allows authenticated remote attackers to manipulate the boardId parameter and gain unauthorized access to sensitive data or modify board information. Wekan versions up to 8.20 are affected, and administrators should upgrade to version 8.21 or later to remediate this vulnerability.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-1895 MEDIUM PATCH This Month

Wekan versions up to 8.20. contains a vulnerability that allows attackers to improper access controls (CVSS 6.3).

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.1%
CVE-2026-1894 MEDIUM PATCH This Month

Improper authorization in WeKan's REST API (versions up to 8.20) allows authenticated users to manipulate checklist item parameters and gain unauthorized access to resources across different boards and checklists. An attacker with valid credentials can exploit this vulnerability to read or modify data they should not have access to. The vulnerability has been patched in version 8.21 and users should upgrade immediately.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1892 MEDIUM PATCH This Month

Improper authorization in WeKan's REST API setBoardOrgs function (versions up to 8.20) allows authenticated attackers to manipulate cardId, checklistId, and boardId parameters to gain unauthorized access to sensitive board information. The vulnerability requires local network access and high attack complexity, limiting its practical exploitation. A patch is available in version 8.21 and should be applied to all affected deployments.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2023-28485 MEDIUM POC This Month

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wekan
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2023-31779 MEDIUM PATCH This Month

Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Wekan
NVD GitHub
CVSS 3.1
5.4
EPSS
0.6%
CVE-2021-20654 MEDIUM POC This Month

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wekan
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2021-3309 HIGH POC PATCH This Week

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Wekan
NVD GitHub
CVSS 3.1
8.1
EPSS
1.7%
CVE-2018-1000549 MEDIUM This Month

Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wekan
NVD
CVSS 3.0
5.3
EPSS
1.3%
CVSS 9.8
CRITICAL Act Now

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker impersonate any account, including admin. The header-login feature's getRequestIp() in server/lib/headerLoginAuth.js trusts the client-supplied X-Forwarded-For header instead of the real TCP socket peer, so an attacker who can reach the HTTP port can spoof a trusted source IP and submit HEADER_LOGIN_ID for any username to receive a valid meteor_login_token session. Tracked by the vendor as 'ProxyBleed' (GHSA-jggc-qvfc-jr6x); CVSS 9.8. No public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Wekan
NVD GitHub
CVSS 8.5
HIGH This Week

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. No public exploit identified at time of analysis, but the fixing commit and advisory publicly document the exact bypass, lowering the barrier to reproduction.

Authentication Bypass Wekan
NVD GitHub
CVSS 6.5
MEDIUM This Month

Unauthorized full-board read access in Wekan prior to v9.35 allows any authenticated user to exfiltrate the entire contents of any private board - cards, comments, attachments, member lists, and activity logs - by calling the `cloneBoard` Meteor method with an arbitrary board ID. The root cause is that `models/import.js` invokes the board exporter directly without calling `canExport()` or verifying source-board membership, the same guard correctly applied by the REST export route. No public exploit code has been identified at time of analysis, but the attack requires only a valid account and knowledge of a target board's ID, making it trivially reproducible by any developer familiar with the Meteor DDP protocol.

Authentication Bypass Wekan
NVD GitHub
CVSS 9.2
CRITICAL Act Now

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider account asserting a victim's email or username to hijack the victim's existing Wekan account. The vulnerable Accounts.onCreateUser hook in server/models/users.js merged incoming OIDC identities into any local account whose email OR username matched, without verifying ownership or checking email_verified, letting the attacker inherit the victim's boards, attachments, API tokens, and admin status. No public exploit identified at time of analysis, but the fix is confirmed in version 9.32 and the flaw carries a CVSS 4.0 base score of 9.2 (critical).

Authentication Bypass Wekan
NVD GitHub
CVSS 7.6
HIGH This Week

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-only Meteor methods that lack the admin authorization checks applied to their non-OIDC counterparts. By calling setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin over DDP, a low-privileged user can create or modify organizations and teams, and - when PROPAGATE_OIDC_DATA is enabled - groupRoutineOnLogin can grant that user global admin. No public exploit identified at time of analysis; the vendor fix (v9.32) is confirmed and the flaw carries a CVSS 4.0 base score of 7.6.

Privilege Escalation Wekan
NVD GitHub
CVSS 7.1
HIGH This Week

Broken access control in Wekan's open-source kanban server (all releases prior to 9.32) lets any authenticated user copy a private board they have no membership in. The vulnerable copyBoard Meteor DDP method in server/publications/boards.js accepts a caller-supplied board ID without verifying this.userId, membership, or admin rights, so an attacker can exfiltrate the board's cards, checklists, custom fields, labels, and rules into a board they own. No public exploit identified at time of analysis; the flaw is authenticated-only (PR:L) with an EPSS/KEV signal absent from the input.

Authentication Bypass Wekan
NVD GitHub
CVSS 6.2
MEDIUM This Month

Server-side request forgery in Wekan's webhook integration feature allows board administrators to register malicious webhook URLs that the Wekan server later fetches without private-network validation, enabling unauthorized access to internal services and cloud metadata endpoints. All Wekan deployments prior to version 9.32 are affected; the root cause is that the existing validateAttachmentUrl() guard present in models/lib/attachmentUrlValidation.js was never wired into the webhook creation and update API paths. No public exploit has been identified and this is not listed in CISA KEV, but cloud-hosted Wekan instances face meaningful credential theft risk via cloud metadata service access.

SSRF Wekan
NVD GitHub
CVSS 6.5
MEDIUM This Month

Incorrect authorization in Wekan's REST API (all versions prior to 9.32) permits any read-only board member to invoke write-level operations - creating, modifying, or deleting custom fields and dropdown items - on boards they should only be able to view. Six route handlers in server/models/customFields.js apply the read-level checkBoardAccess guard to mutating HTTP methods (POST, PUT, DELETE), instead of the write-level checkBoardWriteAccess. No public exploit or CISA KEV listing has been identified at time of analysis, but the logic flaw is straightforward to exploit by any authenticated board member with API access.

Authentication Bypass Wekan
NVD GitHub
CVSS 9.9
CRITICAL Act Now

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user execute arbitrary commands on the server by uploading an avatar with shell metacharacters in its filename. The user-supplied filename is embedded into a shell string passed to child_process.exec() for MIME-type detection in models/avatars.js and models/fileValidation.js, so backticks or $() in the name run as server-side commands. No public exploit is identified at time of analysis, but the vendor commit and advisory confirm the flaw; it is fixed in v9.07.

Command Injection Wekan
NVD GitHub
CVSS 7.1
HIGH This Week

Arbitrary file read and denial of service in Wekan (open-source Meteor kanban board) before version 9.31 allows an authenticated board member to read any file the server process can access by supplying attacker-controlled versions.original.path and versions.original.storage values to the /attachments/insert DDP method. Because the server-side insert permission rule only validates board write access and the filesystem store never confirms the path stays within the storage root, a low-privileged user can exfiltrate sensitive host files or hang the process by pointing at special files like /dev/zero. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a fixing commit and release (v9.31) are public.

Path Traversal Denial Of Service Wekan
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Server-side request forgery in WeKan before 8.35 allows authenticated users to create or modify webhook integrations with arbitrary URLs, enabling the server to issue HTTP POST requests to internal network addresses and attacker-controlled targets. The vulnerability additionally permits unauthorized modification of comment text through response handling, affecting systems where users have integration management privileges. No active exploitation has been confirmed at time of analysis.

SSRF Wekan
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform administrative integration management without authorization checks. Attackers can enumerate webhook URLs and secrets, create/modify/delete integrations, and manipulate integration activities through unprotected REST API endpoints. CVSS 8.7 reflects high confidentiality and integrity impact with network attack vector and low complexity. VulnCheck reported this vulnerability with vendor patch available in version 8.35 and commit 2cd702f. EPSS data not available; no confirmed active exploitation or POC identified at time of analysis.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]

React Wekan
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.

Authentication Bypass Information Disclosure Wekan
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered publication of integration data, allowing any user with board access—including read-only members and users on public boards—to retrieve sensitive credentials. Attackers can leverage these exposed tokens to make unauthorized requests to connected external services and trigger unintended actions. The vulnerability affects Wekan's board composite publication mechanism and has been patched in version 8.34.

Information Disclosure Wekan
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP requests by supplying malicious attachment URLs during board imports from JSON data or Trello. An attacker could exploit this to access internal network services, cloud metadata endpoints, or expose sensitive credentials without any URL validation occurring on the server side.

SSRF Wekan
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Wekan versions 8.32 and 8.33 allow authenticated users to modify custom fields across any board due to insufficient access validation in the custom fields API endpoints. An attacker with access to one board can exploit this Insecure Direct Object Reference vulnerability to manipulate custom fields on other boards by supplying foreign field IDs. A patch is available to address this authorization bypass.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Wekan versions up to 8.18 contain an authorization bypass in the custom translation handler that allows authenticated users to manipulate translation settings they should not have access to. An attacker with valid credentials can exploit the setCreateTranslation function to gain unauthorized access to modify translations, potentially affecting application functionality and data integrity. The vulnerability has been patched in version 8.19 and users should upgrade immediately.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Wekan versions up to 8.20 contain an authorization bypass in the Rules Handler component that allows authenticated remote attackers to access unauthorized information through the rules.js file. The vulnerability requires valid credentials but no user interaction, enabling low-impact confidentiality breaches. Upgrading to version 8.21 resolves this issue.

Authentication Bypass Wekan
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

WeKan versions up to 8.20 contain an information disclosure vulnerability in the Activity Publication Handler that allows unauthenticated remote attackers to access sensitive data through manipulation of the activities.js file. The vulnerability requires no user interaction and can be exploited over the network with low complexity. Users should upgrade to version 8.21 or apply patch 91a936e07d2976d4246dfe834281c3aaa87f9503 to remediate this issue.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper access controls in WeKan's administrative repair handler (fixDuplicateLists.js) allow authenticated remote attackers to manipulate list data and gain unauthorized access to sensitive information. Affected versions through 8.20 can be remediated by upgrading to version 8.21 or applying the referenced patch.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

WeKan versions up to 8.20 contain an information disclosure vulnerability in the Meteor Publication Handler's card publication mechanism that allows authenticated remote attackers to access sensitive data. The vulnerability requires valid credentials but no user interaction to exploit, and is resolved in version 8.21.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Broken authorization in Wekan versions prior to 8.20 lets any authenticated non-administrative user invoke board migration functionality that should be restricted to board administrators. Because permission checks on the migration methods (e.g. comprehensiveBoardMigration.execute) are insufficient, a low-privileged user can trigger unauthorized migration operations that mutate board structure and data. EPSS is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, but a vendor patch and fix commit are available.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authorization bypass in WeKan (self-hosted kanban board) versions prior to 8.19 lets an authenticated user create public boards even when the instance-wide allowPrivateOnly setting is enabled, because server-side enforcement of the visibility policy is incomplete at board-creation time. The flaw undermines an administrator's expectation that all boards remain private, potentially exposing board content beyond intended audiences. EPSS is low (0.03%, 9th percentile) with no public exploit identified at time of analysis and no CISA KEV listing; a vendor patch is available.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 4.3).

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Improper authorization in WeKan's card-move API lets an authenticated low-privilege user relocate cards to boards, lists, and swimlanes they do not control, because the destination is trusted without verifying access rights or that the target objects belong to the destination board. All WeKan versions before 8.19 are affected; no public exploit is identified at time of analysis and EPSS is negligible (0.01%), but the fixing commit publicly documents the missing checks, lowering the bar to reproduce.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation via broken authorization in WeKan (the open-source kanban board) before 8.19 lets users holding read-only board roles modify cards, lists, and swimlanes that should require write access. The flaw stems from card/list/swimlane update API routes calling a read-level access check instead of a write-level check, letting a low-privileged but authenticated member tamper with data they should only be able to view. There is no public exploit identified at time of analysis and EPSS is negligible (0.01%), but the fix is confirmed in an upstream commit and the CVSS 4.0 base score is 7.1.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-board data tampering in WeKan (open-source Trello-style kanban board) before version 8.19 lets an authenticated low-privileged user manipulate checklists on cards belonging to boards they should not access. The checklist creation, deletion, and related REST routes accept a cardId without confirming it belongs to the supplied boardId, so an attacker can forge identifiers to add or remove checklists on other users' cards. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but the vendor fix commit confirms the root cause and a straightforward exploitation path.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Cross-board data tampering in WeKan (the open-source Trello-style kanban board) before version 8.19 lets an authenticated low-privilege user attach checklists to cards on boards they do not own by supplying a mismatched cardId/boardId pair. Because the checklist creation routes never confirm the card actually belongs to the referenced board, any logged-in user can manipulate identifiers to write into other users' boards. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.01%), but the fix is confirmed by an upstream vendor commit.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Wekan versions before 8.19 fail to properly restrict attachment metadata visibility, allowing authenticated users to enumerate attachment information from boards and cards they should not have access to. This information disclosure vulnerability requires valid credentials and can expose sensitive metadata to unauthorized users across the platform. A patch is available.

Information Disclosure Wekan
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Improper authorization in the WeKan attachment upload API (versions prior to 8.19) lets an authenticated low-privileged user submit inconsistent object identifiers (boardId, cardId, swimlaneId, listId) that the server fails to cross-validate, allowing attachments to be associated with or moved across card/board relationships the user should not control. The affected component is the self-hosted open-source kanban platform WeKan; the fix (commit 1d16955b) adds server-side checks that a card actually belongs to the named board, swimlane, and list. No public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not in CISA KEV.

Authentication Bypass Wekan
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and DN construction during login by supplying crafted usernames that are embedded into queries without escaping. Because the malicious input reaches the authentication path directly (CVSS 4.0 AV:N/PR:N/UI:N, base score 8.7), an attacker can tamper with the authentication logic to enumerate directory data or subvert the intended search filter. No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.05%), but a vendor patch (commit 0b0e16c) is available.

LDAP Wekan Code Injection
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Improper access controls in Wekan's REST API endpoint (models/boards.js) prior to version 8.21 allow authenticated users to modify resources they should not have permission to access. The vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated attacker with network access. Administrators should upgrade to version 8.21 or later to remediate this issue.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper access controls in Wekan's attachment storage mechanism (models/attachments.js) up to version 8.20 allow authenticated remote attackers to gain unauthorized access to sensitive data and modify attachments. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete attachments they should not have permission to access. Upgrading to version 8.21 or later resolves this issue.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper access controls in Wekan's attachment migration component allow authenticated remote attackers to read, modify, or disrupt service functionality. The vulnerability affects Wekan versions up to 8.20 and requires valid user credentials to exploit. Users should upgrade to version 8.21 or later to remediate this issue.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper access controls in WeKan's LDAP user synchronization component (versions up to 8.20) allow authenticated remote attackers to gain unauthorized access to sensitive information or modify data with low complexity. The vulnerability affects the LDAP User Sync functionality in packages/wekan-ldap/server/syncUser.js and requires valid credentials to exploit. WeKan 8.21 and later address this issue and should be deployed immediately.

LDAP Wekan
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

WeKan versions up to 8.20 contain an authorization bypass in the position history tracking functionality that allows authenticated remote attackers to access sensitive information without proper permissions. The vulnerability exists in the server/methods/positionHistory.js file and can be exploited by any user with login credentials. Upgrading to version 8.21 or later resolves this issue.

Authentication Bypass Wekan
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper access control in Wekan's board migration function allows authenticated remote attackers to manipulate the boardId parameter and gain unauthorized access to sensitive data or modify board information. Wekan versions up to 8.20 are affected, and administrators should upgrade to version 8.21 or later to remediate this vulnerability.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Wekan versions up to 8.20. contains a vulnerability that allows attackers to improper access controls (CVSS 6.3).

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Improper authorization in WeKan's REST API (versions up to 8.20) allows authenticated users to manipulate checklist item parameters and gain unauthorized access to resources across different boards and checklists. An attacker with valid credentials can exploit this vulnerability to read or modify data they should not have access to. The vulnerability has been patched in version 8.21 and users should upgrade immediately.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Improper authorization in WeKan's REST API setBoardOrgs function (versions up to 8.20) allows authenticated attackers to manipulate cardId, checklistId, and boardId parameters to gain unauthorized access to sensitive board information. The vulnerability requires local network access and high attack complexity, limiting its practical exploitation. A patch is available in version 8.21 and should be applied to all affected deployments.

Information Disclosure Wekan
NVD GitHub VulDB
EPSS 1% CVSS 5.4
MEDIUM POC This Month

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wekan
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Wekan
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Wekan
NVD
EPSS 2% CVSS 8.1
HIGH POC PATCH This Week

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Wekan
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM This Month

Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wekan
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy