Insecure Direct Object Reference Vulnerability in Wekan Kanban Tool
CVE-2026-30843

9.3CRITICAL

Key Information:

Vendor

Wekan

Status
Wekan
Vendor
CVE Published:
6 March 2026

What is CVE-2026-30843?

Wekan, an open source kanban tool, is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability that allows unauthorized users to modify custom fields across different boards. This issue arises from the lack of proper validation in the custom fields update endpoints. While Wekan verifies access to a specified board ID, it fails to check if the custom field being modified actually belongs to that board during the database update process. As a result, an attacker with access to any board can alter custom fields on any other board by manipulating the custom field ID. This flaw also extends to both the POST, PUT, and DELETE operations for dropdown items linked to custom fields. The vulnerability can be exploited by obtaining necessary custom field IDs through board exports, which are accessible without any restricted permissions. The issue has been addressed in Wekan version 8.34.

Affected Version(s)

Wekan >= 8.32, < 8.34

Wekan >= 8.32, < 8.34

References

https://securitylab.github.com/advisories/GHSL-2026-044_W...
x_refsource_CONFIRM
https://github.com/wekan/wekan/commit/73eb98c57afd3d72377...
x_refsource_MISC
https://github.com/wekan/wekan/releases/tag/v8.34
x_refsource_MISC

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.