Authorization Flaw in Wekan Kanban Board by Wekan
CVE-2026-55234

8.5HIGH

Key Information:

Vendor

Wekan

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-55234?

Wekan, an open-source kanban management tool built on Meteor, contains a vulnerability in versions prior to 9.37 related to authorization checks. The flaw allows any authenticated user with write access to their own board to exploit the DDP update rules implemented in server/permissions files. Specifically, users can modify cards, lists, or swimlanes and transfer them into a private board they aren't authorized to access. This oversight in validating new board IDs during updates poses a significant security risk, as it can lead to unauthorized data exposure and potential data leaks.

Affected Version(s)

wekan < 9.37

References

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.