Authorization Flaw in Wekan Kanban Board by Wekan
CVE-2026-55234
8.5HIGH
What is CVE-2026-55234?
Wekan, an open-source kanban management tool built on Meteor, contains a vulnerability in versions prior to 9.37 related to authorization checks. The flaw allows any authenticated user with write access to their own board to exploit the DDP update rules implemented in server/permissions files. Specifically, users can modify cards, lists, or swimlanes and transfer them into a private board they aren't authorized to access. This oversight in validating new board IDs during updates poses a significant security risk, as it can lead to unauthorized data exposure and potential data leaks.
Affected Version(s)
wekan < 9.37
