Wekan
Monthly
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker impersonate any account, including admin. The header-login feature's getRequestIp() in server/lib/headerLoginAuth.js trusts the client-supplied X-Forwarded-For header instead of the real TCP socket peer, so an attacker who can reach the HTTP port can spoof a trusted source IP and submit HEADER_LOGIN_ID for any username to receive a valid meteor_login_token session. Tracked by the vendor as 'ProxyBleed' (GHSA-jggc-qvfc-jr6x); CVSS 9.8. No public exploit identified at time of analysis and not listed in CISA KEV.
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. No public exploit identified at time of analysis, but the fixing commit and advisory publicly document the exact bypass, lowering the barrier to reproduction.
Unauthorized full-board read access in Wekan prior to v9.35 allows any authenticated user to exfiltrate the entire contents of any private board - cards, comments, attachments, member lists, and activity logs - by calling the `cloneBoard` Meteor method with an arbitrary board ID. The root cause is that `models/import.js` invokes the board exporter directly without calling `canExport()` or verifying source-board membership, the same guard correctly applied by the REST export route. No public exploit code has been identified at time of analysis, but the attack requires only a valid account and knowledge of a target board's ID, making it trivially reproducible by any developer familiar with the Meteor DDP protocol.
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider account asserting a victim's email or username to hijack the victim's existing Wekan account. The vulnerable Accounts.onCreateUser hook in server/models/users.js merged incoming OIDC identities into any local account whose email OR username matched, without verifying ownership or checking email_verified, letting the attacker inherit the victim's boards, attachments, API tokens, and admin status. No public exploit identified at time of analysis, but the fix is confirmed in version 9.32 and the flaw carries a CVSS 4.0 base score of 9.2 (critical).
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-only Meteor methods that lack the admin authorization checks applied to their non-OIDC counterparts. By calling setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin over DDP, a low-privileged user can create or modify organizations and teams, and - when PROPAGATE_OIDC_DATA is enabled - groupRoutineOnLogin can grant that user global admin. No public exploit identified at time of analysis; the vendor fix (v9.32) is confirmed and the flaw carries a CVSS 4.0 base score of 7.6.
Broken access control in Wekan's open-source kanban server (all releases prior to 9.32) lets any authenticated user copy a private board they have no membership in. The vulnerable copyBoard Meteor DDP method in server/publications/boards.js accepts a caller-supplied board ID without verifying this.userId, membership, or admin rights, so an attacker can exfiltrate the board's cards, checklists, custom fields, labels, and rules into a board they own. No public exploit identified at time of analysis; the flaw is authenticated-only (PR:L) with an EPSS/KEV signal absent from the input.
Server-side request forgery in Wekan's webhook integration feature allows board administrators to register malicious webhook URLs that the Wekan server later fetches without private-network validation, enabling unauthorized access to internal services and cloud metadata endpoints. All Wekan deployments prior to version 9.32 are affected; the root cause is that the existing validateAttachmentUrl() guard present in models/lib/attachmentUrlValidation.js was never wired into the webhook creation and update API paths. No public exploit has been identified and this is not listed in CISA KEV, but cloud-hosted Wekan instances face meaningful credential theft risk via cloud metadata service access.
Incorrect authorization in Wekan's REST API (all versions prior to 9.32) permits any read-only board member to invoke write-level operations - creating, modifying, or deleting custom fields and dropdown items - on boards they should only be able to view. Six route handlers in server/models/customFields.js apply the read-level checkBoardAccess guard to mutating HTTP methods (POST, PUT, DELETE), instead of the write-level checkBoardWriteAccess. No public exploit or CISA KEV listing has been identified at time of analysis, but the logic flaw is straightforward to exploit by any authenticated board member with API access.
OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user execute arbitrary commands on the server by uploading an avatar with shell metacharacters in its filename. The user-supplied filename is embedded into a shell string passed to child_process.exec() for MIME-type detection in models/avatars.js and models/fileValidation.js, so backticks or $() in the name run as server-side commands. No public exploit is identified at time of analysis, but the vendor commit and advisory confirm the flaw; it is fixed in v9.07.
Arbitrary file read and denial of service in Wekan (open-source Meteor kanban board) before version 9.31 allows an authenticated board member to read any file the server process can access by supplying attacker-controlled versions.original.path and versions.original.storage values to the /attachments/insert DDP method. Because the server-side insert permission rule only validates board write access and the filesystem store never confirms the path stays within the storage root, a low-privileged user can exfiltrate sensitive host files or hang the process by pointing at special files like /dev/zero. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a fixing commit and release (v9.31) are public.
Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.
Server-side request forgery in WeKan before 8.35 allows authenticated users to create or modify webhook integrations with arbitrary URLs, enabling the server to issue HTTP POST requests to internal network addresses and attacker-controlled targets. The vulnerability additionally permits unauthorized modification of comment text through response handling, affecting systems where users have integration management privileges. No active exploitation has been confirmed at time of analysis.
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform administrative integration management without authorization checks. Attackers can enumerate webhook URLs and secrets, create/modify/delete integrations, and manipulate integration activities through unprotected REST API endpoints. CVSS 8.7 reflects high confidentiality and integrity impact with network attack vector and low complexity. VulnCheck reported this vulnerability with vendor patch available in version 8.35 and commit 2cd702f. EPSS data not available; no confirmed active exploitation or POC identified at time of analysis.
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered publication of integration data, allowing any user with board access—including read-only members and users on public boards—to retrieve sensitive credentials. Attackers can leverage these exposed tokens to make unauthorized requests to connected external services and trigger unintended actions. The vulnerability affects Wekan's board composite publication mechanism and has been patched in version 8.34.
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP requests by supplying malicious attachment URLs during board imports from JSON data or Trello. An attacker could exploit this to access internal network services, cloud metadata endpoints, or expose sensitive credentials without any URL validation occurring on the server side.
Wekan versions 8.32 and 8.33 allow authenticated users to modify custom fields across any board due to insufficient access validation in the custom fields API endpoints. An attacker with access to one board can exploit this Insecure Direct Object Reference vulnerability to manipulate custom fields on other boards by supplying foreign field IDs. A patch is available to address this authorization bypass.
Wekan versions up to 8.18 contain an authorization bypass in the custom translation handler that allows authenticated users to manipulate translation settings they should not have access to. An attacker with valid credentials can exploit the setCreateTranslation function to gain unauthorized access to modify translations, potentially affecting application functionality and data integrity. The vulnerability has been patched in version 8.19 and users should upgrade immediately.
Wekan versions up to 8.20 contain an authorization bypass in the Rules Handler component that allows authenticated remote attackers to access unauthorized information through the rules.js file. The vulnerability requires valid credentials but no user interaction, enabling low-impact confidentiality breaches. Upgrading to version 8.21 resolves this issue.
WeKan versions up to 8.20 contain an information disclosure vulnerability in the Activity Publication Handler that allows unauthenticated remote attackers to access sensitive data through manipulation of the activities.js file. The vulnerability requires no user interaction and can be exploited over the network with low complexity. Users should upgrade to version 8.21 or apply patch 91a936e07d2976d4246dfe834281c3aaa87f9503 to remediate this issue.
Improper access controls in WeKan's administrative repair handler (fixDuplicateLists.js) allow authenticated remote attackers to manipulate list data and gain unauthorized access to sensitive information. Affected versions through 8.20 can be remediated by upgrading to version 8.21 or applying the referenced patch.
WeKan versions up to 8.20 contain an information disclosure vulnerability in the Meteor Publication Handler's card publication mechanism that allows authenticated remote attackers to access sensitive data. The vulnerability requires valid credentials but no user interaction to exploit, and is resolved in version 8.21.
Broken authorization in Wekan versions prior to 8.20 lets any authenticated non-administrative user invoke board migration functionality that should be restricted to board administrators. Because permission checks on the migration methods (e.g. comprehensiveBoardMigration.execute) are insufficient, a low-privileged user can trigger unauthorized migration operations that mutate board structure and data. EPSS is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, but a vendor patch and fix commit are available.
Authorization bypass in WeKan (self-hosted kanban board) versions prior to 8.19 lets an authenticated user create public boards even when the instance-wide allowPrivateOnly setting is enabled, because server-side enforcement of the visibility policy is incomplete at board-creation time. The flaw undermines an administrator's expectation that all boards remain private, potentially exposing board content beyond intended audiences. EPSS is low (0.03%, 9th percentile) with no public exploit identified at time of analysis and no CISA KEV listing; a vendor patch is available.
Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 4.3).
Improper authorization in WeKan's card-move API lets an authenticated low-privilege user relocate cards to boards, lists, and swimlanes they do not control, because the destination is trusted without verifying access rights or that the target objects belong to the destination board. All WeKan versions before 8.19 are affected; no public exploit is identified at time of analysis and EPSS is negligible (0.01%), but the fixing commit publicly documents the missing checks, lowering the bar to reproduce.
Privilege escalation via broken authorization in WeKan (the open-source kanban board) before 8.19 lets users holding read-only board roles modify cards, lists, and swimlanes that should require write access. The flaw stems from card/list/swimlane update API routes calling a read-level access check instead of a write-level check, letting a low-privileged but authenticated member tamper with data they should only be able to view. There is no public exploit identified at time of analysis and EPSS is negligible (0.01%), but the fix is confirmed in an upstream commit and the CVSS 4.0 base score is 7.1.
Cross-board data tampering in WeKan (open-source Trello-style kanban board) before version 8.19 lets an authenticated low-privileged user manipulate checklists on cards belonging to boards they should not access. The checklist creation, deletion, and related REST routes accept a cardId without confirming it belongs to the supplied boardId, so an attacker can forge identifiers to add or remove checklists on other users' cards. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but the vendor fix commit confirms the root cause and a straightforward exploitation path.
Cross-board data tampering in WeKan (the open-source Trello-style kanban board) before version 8.19 lets an authenticated low-privilege user attach checklists to cards on boards they do not own by supplying a mismatched cardId/boardId pair. Because the checklist creation routes never confirm the card actually belongs to the referenced board, any logged-in user can manipulate identifiers to write into other users' boards. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.01%), but the fix is confirmed by an upstream vendor commit.
Wekan versions before 8.19 fail to properly restrict attachment metadata visibility, allowing authenticated users to enumerate attachment information from boards and cards they should not have access to. This information disclosure vulnerability requires valid credentials and can expose sensitive metadata to unauthorized users across the platform. A patch is available.
Improper authorization in the WeKan attachment upload API (versions prior to 8.19) lets an authenticated low-privileged user submit inconsistent object identifiers (boardId, cardId, swimlaneId, listId) that the server fails to cross-validate, allowing attachments to be associated with or moved across card/board relationships the user should not control. The affected component is the self-hosted open-source kanban platform WeKan; the fix (commit 1d16955b) adds server-side checks that a card actually belongs to the named board, swimlane, and list. No public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not in CISA KEV.
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and DN construction during login by supplying crafted usernames that are embedded into queries without escaping. Because the malicious input reaches the authentication path directly (CVSS 4.0 AV:N/PR:N/UI:N, base score 8.7), an attacker can tamper with the authentication logic to enumerate directory data or subvert the intended search filter. No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.05%), but a vendor patch (commit 0b0e16c) is available.
Improper access controls in Wekan's REST API endpoint (models/boards.js) prior to version 8.21 allow authenticated users to modify resources they should not have permission to access. The vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated attacker with network access. Administrators should upgrade to version 8.21 or later to remediate this issue.
Improper access controls in Wekan's attachment storage mechanism (models/attachments.js) up to version 8.20 allow authenticated remote attackers to gain unauthorized access to sensitive data and modify attachments. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete attachments they should not have permission to access. Upgrading to version 8.21 or later resolves this issue.
Improper access controls in Wekan's attachment migration component allow authenticated remote attackers to read, modify, or disrupt service functionality. The vulnerability affects Wekan versions up to 8.20 and requires valid user credentials to exploit. Users should upgrade to version 8.21 or later to remediate this issue.
Improper access controls in WeKan's LDAP user synchronization component (versions up to 8.20) allow authenticated remote attackers to gain unauthorized access to sensitive information or modify data with low complexity. The vulnerability affects the LDAP User Sync functionality in packages/wekan-ldap/server/syncUser.js and requires valid credentials to exploit. WeKan 8.21 and later address this issue and should be deployed immediately.
WeKan versions up to 8.20 contain an authorization bypass in the position history tracking functionality that allows authenticated remote attackers to access sensitive information without proper permissions. The vulnerability exists in the server/methods/positionHistory.js file and can be exploited by any user with login credentials. Upgrading to version 8.21 or later resolves this issue.
Improper access control in Wekan's board migration function allows authenticated remote attackers to manipulate the boardId parameter and gain unauthorized access to sensitive data or modify board information. Wekan versions up to 8.20 are affected, and administrators should upgrade to version 8.21 or later to remediate this vulnerability.
Wekan versions up to 8.20. contains a vulnerability that allows attackers to improper access controls (CVSS 6.3).
Improper authorization in WeKan's REST API (versions up to 8.20) allows authenticated users to manipulate checklist item parameters and gain unauthorized access to resources across different boards and checklists. An attacker with valid credentials can exploit this vulnerability to read or modify data they should not have access to. The vulnerability has been patched in version 8.21 and users should upgrade immediately.
Improper authorization in WeKan's REST API setBoardOrgs function (versions up to 8.20) allows authenticated attackers to manipulate cardId, checklistId, and boardId parameters to gain unauthorized access to sensitive board information. The vulnerability requires local network access and high attack complexity, limiting its practical exploitation. A patch is available in version 8.21 and should be applied to all affected deployments.
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker impersonate any account, including admin. The header-login feature's getRequestIp() in server/lib/headerLoginAuth.js trusts the client-supplied X-Forwarded-For header instead of the real TCP socket peer, so an attacker who can reach the HTTP port can spoof a trusted source IP and submit HEADER_LOGIN_ID for any username to receive a valid meteor_login_token session. Tracked by the vendor as 'ProxyBleed' (GHSA-jggc-qvfc-jr6x); CVSS 9.8. No public exploit identified at time of analysis and not listed in CISA KEV.
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user with write access to their own board relocate cards, lists, or swimlanes into a private board they do not belong to. The DDP update allow rules only authorize against the document's stored (source) boardId and never validate the attacker-supplied destination boardId in the update modifier, so /cards/update, /lists/update, and /swimlanes/update can be abused to inject content across a trust boundary. No public exploit identified at time of analysis, but the fixing commit and advisory publicly document the exact bypass, lowering the barrier to reproduction.
Unauthorized full-board read access in Wekan prior to v9.35 allows any authenticated user to exfiltrate the entire contents of any private board - cards, comments, attachments, member lists, and activity logs - by calling the `cloneBoard` Meteor method with an arbitrary board ID. The root cause is that `models/import.js` invokes the board exporter directly without calling `canExport()` or verifying source-board membership, the same guard correctly applied by the REST export route. No public exploit code has been identified at time of analysis, but the attack requires only a valid account and knowledge of a target board's ID, making it trivially reproducible by any developer familiar with the Meteor DDP protocol.
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider account asserting a victim's email or username to hijack the victim's existing Wekan account. The vulnerable Accounts.onCreateUser hook in server/models/users.js merged incoming OIDC identities into any local account whose email OR username matched, without verifying ownership or checking email_verified, letting the attacker inherit the victim's boards, attachments, API tokens, and admin status. No public exploit identified at time of analysis, but the fix is confirmed in version 9.32 and the flaw carries a CVSS 4.0 base score of 9.2 (critical).
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-only Meteor methods that lack the admin authorization checks applied to their non-OIDC counterparts. By calling setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin over DDP, a low-privileged user can create or modify organizations and teams, and - when PROPAGATE_OIDC_DATA is enabled - groupRoutineOnLogin can grant that user global admin. No public exploit identified at time of analysis; the vendor fix (v9.32) is confirmed and the flaw carries a CVSS 4.0 base score of 7.6.
Broken access control in Wekan's open-source kanban server (all releases prior to 9.32) lets any authenticated user copy a private board they have no membership in. The vulnerable copyBoard Meteor DDP method in server/publications/boards.js accepts a caller-supplied board ID without verifying this.userId, membership, or admin rights, so an attacker can exfiltrate the board's cards, checklists, custom fields, labels, and rules into a board they own. No public exploit identified at time of analysis; the flaw is authenticated-only (PR:L) with an EPSS/KEV signal absent from the input.
Server-side request forgery in Wekan's webhook integration feature allows board administrators to register malicious webhook URLs that the Wekan server later fetches without private-network validation, enabling unauthorized access to internal services and cloud metadata endpoints. All Wekan deployments prior to version 9.32 are affected; the root cause is that the existing validateAttachmentUrl() guard present in models/lib/attachmentUrlValidation.js was never wired into the webhook creation and update API paths. No public exploit has been identified and this is not listed in CISA KEV, but cloud-hosted Wekan instances face meaningful credential theft risk via cloud metadata service access.
Incorrect authorization in Wekan's REST API (all versions prior to 9.32) permits any read-only board member to invoke write-level operations - creating, modifying, or deleting custom fields and dropdown items - on boards they should only be able to view. Six route handlers in server/models/customFields.js apply the read-level checkBoardAccess guard to mutating HTTP methods (POST, PUT, DELETE), instead of the write-level checkBoardWriteAccess. No public exploit or CISA KEV listing has been identified at time of analysis, but the logic flaw is straightforward to exploit by any authenticated board member with API access.
OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user execute arbitrary commands on the server by uploading an avatar with shell metacharacters in its filename. The user-supplied filename is embedded into a shell string passed to child_process.exec() for MIME-type detection in models/avatars.js and models/fileValidation.js, so backticks or $() in the name run as server-side commands. No public exploit is identified at time of analysis, but the vendor commit and advisory confirm the flaw; it is fixed in v9.07.
Arbitrary file read and denial of service in Wekan (open-source Meteor kanban board) before version 9.31 allows an authenticated board member to read any file the server process can access by supplying attacker-controlled versions.original.path and versions.original.storage values to the /attachments/insert DDP method. Because the server-side insert permission rule only validates board write access and the filesystem store never confirms the path stays within the storage root, a low-privileged user can exfiltrate sensitive host files or hang the process by pointing at special files like /dev/zero. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV, but a fixing commit and release (v9.31) are public.
Cross-board authorization bypass in Wekan prior to version 9.64 allows a low-privileged authenticated user to inject checklist data into private boards where they hold no membership. The flaw resides in Meteor's collection allow rules for Checklists and ChecklistItems, which validate write access against the source card's context but ignore the destination cardId or boardId embedded in the update modifier - enabling an attacker with write access to any one board to redirect checklist mutations into boards they are not permitted to access. No active exploitation has been identified and no public exploit code exists; a vendor-confirmed fix is available in version 9.64.
Server-side request forgery in WeKan before 8.35 allows authenticated users to create or modify webhook integrations with arbitrary URLs, enabling the server to issue HTTP POST requests to internal network addresses and attacker-controlled targets. The vulnerability additionally permits unauthorized modification of comment text through response handling, affecting systems where users have integration management privileges. No active exploitation has been confirmed at time of analysis.
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform administrative integration management without authorization checks. Attackers can enumerate webhook URLs and secrets, create/modify/delete integrations, and manipulate integration activities through unprotected REST API endpoints. CVSS 8.7 reflects high confidentiality and integrity impact with network attack vector and low complexity. VulnCheck reported this vulnerability with vendor patch available in version 8.35 and commit 2cd702f. EPSS data not available; no confirmed active exploitation or POC identified at time of analysis.
Wekan is an open source kanban tool built with Meteor. [CVSS 6.5 MEDIUM]
Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication tokens through an unauthenticated server-side publication, allowing any network-based attacker to retrieve webhook credentials without authentication. An attacker exploiting this vulnerability could hijack webhook integrations and gain unauthorized access to connected external services. The vulnerability has been patched in version 8.34.
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered publication of integration data, allowing any user with board access—including read-only members and users on public boards—to retrieve sensitive credentials. Attackers can leverage these exposed tokens to make unauthorized requests to connected external services and trigger unintended actions. The vulnerability affects Wekan's board composite publication mechanism and has been patched in version 8.34.
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP requests by supplying malicious attachment URLs during board imports from JSON data or Trello. An attacker could exploit this to access internal network services, cloud metadata endpoints, or expose sensitive credentials without any URL validation occurring on the server side.
Wekan versions 8.32 and 8.33 allow authenticated users to modify custom fields across any board due to insufficient access validation in the custom fields API endpoints. An attacker with access to one board can exploit this Insecure Direct Object Reference vulnerability to manipulate custom fields on other boards by supplying foreign field IDs. A patch is available to address this authorization bypass.
Wekan versions up to 8.18 contain an authorization bypass in the custom translation handler that allows authenticated users to manipulate translation settings they should not have access to. An attacker with valid credentials can exploit the setCreateTranslation function to gain unauthorized access to modify translations, potentially affecting application functionality and data integrity. The vulnerability has been patched in version 8.19 and users should upgrade immediately.
Wekan versions up to 8.20 contain an authorization bypass in the Rules Handler component that allows authenticated remote attackers to access unauthorized information through the rules.js file. The vulnerability requires valid credentials but no user interaction, enabling low-impact confidentiality breaches. Upgrading to version 8.21 resolves this issue.
WeKan versions up to 8.20 contain an information disclosure vulnerability in the Activity Publication Handler that allows unauthenticated remote attackers to access sensitive data through manipulation of the activities.js file. The vulnerability requires no user interaction and can be exploited over the network with low complexity. Users should upgrade to version 8.21 or apply patch 91a936e07d2976d4246dfe834281c3aaa87f9503 to remediate this issue.
Improper access controls in WeKan's administrative repair handler (fixDuplicateLists.js) allow authenticated remote attackers to manipulate list data and gain unauthorized access to sensitive information. Affected versions through 8.20 can be remediated by upgrading to version 8.21 or applying the referenced patch.
WeKan versions up to 8.20 contain an information disclosure vulnerability in the Meteor Publication Handler's card publication mechanism that allows authenticated remote attackers to access sensitive data. The vulnerability requires valid credentials but no user interaction to exploit, and is resolved in version 8.21.
Broken authorization in Wekan versions prior to 8.20 lets any authenticated non-administrative user invoke board migration functionality that should be restricted to board administrators. Because permission checks on the migration methods (e.g. comprehensiveBoardMigration.execute) are insufficient, a low-privileged user can trigger unauthorized migration operations that mutate board structure and data. EPSS is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, but a vendor patch and fix commit are available.
Authorization bypass in WeKan (self-hosted kanban board) versions prior to 8.19 lets an authenticated user create public boards even when the instance-wide allowPrivateOnly setting is enabled, because server-side enforcement of the visibility policy is incomplete at board-creation time. The flaw undermines an administrator's expectation that all boards remain private, potentially exposing board content beyond intended audiences. EPSS is low (0.03%, 9th percentile) with no public exploit identified at time of analysis and no CISA KEV listing; a vendor patch is available.
Wekan versions up to 8.19 is affected by authorization bypass through user-controlled key (CVSS 4.3).
Improper authorization in WeKan's card-move API lets an authenticated low-privilege user relocate cards to boards, lists, and swimlanes they do not control, because the destination is trusted without verifying access rights or that the target objects belong to the destination board. All WeKan versions before 8.19 are affected; no public exploit is identified at time of analysis and EPSS is negligible (0.01%), but the fixing commit publicly documents the missing checks, lowering the bar to reproduce.
Privilege escalation via broken authorization in WeKan (the open-source kanban board) before 8.19 lets users holding read-only board roles modify cards, lists, and swimlanes that should require write access. The flaw stems from card/list/swimlane update API routes calling a read-level access check instead of a write-level check, letting a low-privileged but authenticated member tamper with data they should only be able to view. There is no public exploit identified at time of analysis and EPSS is negligible (0.01%), but the fix is confirmed in an upstream commit and the CVSS 4.0 base score is 7.1.
Cross-board data tampering in WeKan (open-source Trello-style kanban board) before version 8.19 lets an authenticated low-privileged user manipulate checklists on cards belonging to boards they should not access. The checklist creation, deletion, and related REST routes accept a cardId without confirming it belongs to the supplied boardId, so an attacker can forge identifiers to add or remove checklists on other users' cards. No public exploit identified at time of analysis, and EPSS is negligible (0.01%), but the vendor fix commit confirms the root cause and a straightforward exploitation path.
Cross-board data tampering in WeKan (the open-source Trello-style kanban board) before version 8.19 lets an authenticated low-privilege user attach checklists to cards on boards they do not own by supplying a mismatched cardId/boardId pair. Because the checklist creation routes never confirm the card actually belongs to the referenced board, any logged-in user can manipulate identifiers to write into other users' boards. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.01%), but the fix is confirmed by an upstream vendor commit.
Wekan versions before 8.19 fail to properly restrict attachment metadata visibility, allowing authenticated users to enumerate attachment information from boards and cards they should not have access to. This information disclosure vulnerability requires valid credentials and can expose sensitive metadata to unauthorized users across the platform. A patch is available.
Improper authorization in the WeKan attachment upload API (versions prior to 8.19) lets an authenticated low-privileged user submit inconsistent object identifiers (boardId, cardId, swimlaneId, listId) that the server fails to cross-validate, allowing attachments to be associated with or moved across card/board relationships the user should not control. The affected component is the self-hosted open-source kanban platform WeKan; the fix (commit 1d16955b) adds server-side checks that a card actually belongs to the named board, swimlane, and list. No public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not in CISA KEV.
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and DN construction during login by supplying crafted usernames that are embedded into queries without escaping. Because the malicious input reaches the authentication path directly (CVSS 4.0 AV:N/PR:N/UI:N, base score 8.7), an attacker can tamper with the authentication logic to enumerate directory data or subvert the intended search filter. No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.05%), but a vendor patch (commit 0b0e16c) is available.
Improper access controls in Wekan's REST API endpoint (models/boards.js) prior to version 8.21 allow authenticated users to modify resources they should not have permission to access. The vulnerability requires valid credentials but no user interaction, making it exploitable by any authenticated attacker with network access. Administrators should upgrade to version 8.21 or later to remediate this issue.
Improper access controls in Wekan's attachment storage mechanism (models/attachments.js) up to version 8.20 allow authenticated remote attackers to gain unauthorized access to sensitive data and modify attachments. An attacker with valid credentials can exploit this vulnerability to read, modify, or delete attachments they should not have permission to access. Upgrading to version 8.21 or later resolves this issue.
Improper access controls in Wekan's attachment migration component allow authenticated remote attackers to read, modify, or disrupt service functionality. The vulnerability affects Wekan versions up to 8.20 and requires valid user credentials to exploit. Users should upgrade to version 8.21 or later to remediate this issue.
Improper access controls in WeKan's LDAP user synchronization component (versions up to 8.20) allow authenticated remote attackers to gain unauthorized access to sensitive information or modify data with low complexity. The vulnerability affects the LDAP User Sync functionality in packages/wekan-ldap/server/syncUser.js and requires valid credentials to exploit. WeKan 8.21 and later address this issue and should be deployed immediately.
WeKan versions up to 8.20 contain an authorization bypass in the position history tracking functionality that allows authenticated remote attackers to access sensitive information without proper permissions. The vulnerability exists in the server/methods/positionHistory.js file and can be exploited by any user with login credentials. Upgrading to version 8.21 or later resolves this issue.
Improper access control in Wekan's board migration function allows authenticated remote attackers to manipulate the boardId parameter and gain unauthorized access to sensitive data or modify board information. Wekan versions up to 8.20 are affected, and administrators should upgrade to version 8.21 or later to remediate this vulnerability.
Wekan versions up to 8.20. contains a vulnerability that allows attackers to improper access controls (CVSS 6.3).
Improper authorization in WeKan's REST API (versions up to 8.20) allows authenticated users to manipulate checklist item parameters and gain unauthorized access to resources across different boards and checklists. An attacker with valid credentials can exploit this vulnerability to read or modify data they should not have access to. The vulnerability has been patched in version 8.21 and users should upgrade immediately.
Improper authorization in WeKan's REST API setBoardOrgs function (versions up to 8.20) allows authenticated attackers to manipulate cardId, checklistId, and boardId parameters to gain unauthorized access to sensitive board information. The vulnerability requires local network access and high attack complexity, limiting its practical exploitation. A patch is available in version 8.21 and should be applied to all affected deployments.
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticated users to inject arbitrary web script or HTML via names of file attachments. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Wekan v6.84 and earlier is vulnerable to Cross Site Scripting (XSS). Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scripting. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by the Certification Authority trust store,. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.
Wekan version 1.04.0 contains a Email / Username Enumeration vulnerability in Register' and 'Forgot your password?' pages that can result in A remote attacker could perform a brute force attack to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.