Security Flaw in Wekan Kanban Software by Wekan
CVE-2026-52893
9.2CRITICAL
What is CVE-2026-52893?
Wekan, an open-source kanban tool developed with Meteor, has a vulnerability in its user creation mechanism that permits an attacker to exploit the OIDC login process. Prior to version 9.32, the Accounts.onCreateUser hook would unintentionally merge OIDC credentials with existing accounts when the email or username matched. This flaw allows an attacker with an OIDC account to gain unauthorized access to another user's account without proper ownership verification, posing significant security risks. The issue is addressed in version 9.32.
Affected Version(s)
wekan < 9.32
