Authentication Bypass in Wekan Kanban Software by Meteor
CVE-2026-55652
9.8CRITICAL
What is CVE-2026-55652?
Wekan, an open-source kanban platform built with Meteor, contains an authentication bypass flaw prior to version 9.46. The vulnerability resides in the header-login feature, where the HEADER_LOGIN_TRUSTED_IPS uses the getRequestIp() function without adequate validation. Consequently, an unauthenticated attacker may exploit the trust placed in the X-Forwarded-For header, allowing them to casually send a HEADER_LOGIN_ID for any username and acquire a meteor_login_token session, even for administrative accounts. This critical flaw was rectified in version 9.46, emphasizing the importance of upgrading to protect your applications and data from unauthorized access.
Affected Version(s)
wekan < 9.46
