Security Flaw in Wekan Kanban Software by Wekan
CVE-2026-52893

9.2CRITICAL

Key Information:

Vendor

Wekan

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-52893?

Wekan, an open-source kanban tool developed with Meteor, has a vulnerability in its user creation mechanism that permits an attacker to exploit the OIDC login process. Prior to version 9.32, the Accounts.onCreateUser hook would unintentionally merge OIDC credentials with existing accounts when the email or username matched. This flaw allows an attacker with an OIDC account to gain unauthorized access to another user's account without proper ownership verification, posing significant security risks. The issue is addressed in version 9.32.

Affected Version(s)

wekan < 9.32

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.