Authentication Bypass in Wekan Kanban Software by Meteor
CVE-2026-55652

9.8CRITICAL

Key Information:

Vendor

Wekan

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-55652?

Wekan, an open-source kanban platform built with Meteor, contains an authentication bypass flaw prior to version 9.46. The vulnerability resides in the header-login feature, where the HEADER_LOGIN_TRUSTED_IPS uses the getRequestIp() function without adequate validation. Consequently, an unauthenticated attacker may exploit the trust placed in the X-Forwarded-For header, allowing them to casually send a HEADER_LOGIN_ID for any username and acquire a meteor_login_token session, even for administrative accounts. This critical flaw was rectified in version 9.46, emphasizing the importance of upgrading to protect your applications and data from unauthorized access.

Affected Version(s)

wekan < 9.46

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.