CVE-2026-30843
Received Received - Intake
Critical IDOR in Wekan Custom Fields Allows Unauthorized Modification

Publication date: 2026-03-06

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data manipulation. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint in Wekan validates that the authenticated user has access to the specified boardId, but the subsequent database update uses only the custom field's _id as a filter without confirming the field actually belongs to that board. This means an attacker who owns any board can modify custom fields on any other board by supplying a foreign custom field ID, and the same flaw exists in the POST, PUT, and DELETE endpoints for dropdown items under custom fields. The required custom field IDs can be obtained by exporting a board (which only needs read access), since the exported JSON includes the IDs of all board components. The authorization check is performed against the wrong resource, allowing cross-board custom field manipulation. This issue has been fixed in version 8.34.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-11
Generated
2026-05-07
AI Q&A
2026-03-06
EPSS Evaluated
2026-05-05
NVD
CVE-2026-30843
EUVD
EUVD-2026-10062
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wekan_project wekan 8.32
wekan_project wekan 8.33
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

The primary mitigation step is to upgrade Wekan to version 8.34 or later, where this vulnerability has been fixed by enforcing board-level access control on custom field updates.

Until the upgrade can be applied, consider restricting access to the affected API endpoints to trusted users only and monitoring API usage closely for suspicious activity.

Additionally, review and audit board permissions to ensure users only have access to boards they are authorized to modify.


Can you explain this vulnerability to me?

CVE-2026-30843 is a critical Insecure Direct Object Reference (IDOR) vulnerability in Wekan versions 8.32 and 8.33, an open source kanban tool. The issue arises because the API endpoint for updating custom fields on boards validates that a user has access to a board but does not verify that the custom field being modified actually belongs to that board. This allows an attacker who owns any board to modify custom fields on other boards by supplying foreign custom field IDs.

The vulnerability also affects related endpoints for dropdown items within custom fields, enabling unauthorized modification or deletion of dropdown items on boards the attacker does not own. Attackers can obtain the necessary custom field IDs by exporting a board, which only requires read access, since the exported JSON includes all component IDs.


How can this vulnerability impact me? :

This vulnerability can lead to unauthorized data manipulation on Wekan boards. An attacker with access to any board can modify custom fields and dropdown items on other boards without permission, potentially altering board configurations, data labels, or dropdown options.

Such unauthorized modifications can disrupt workflows, cause data integrity issues, and compromise the reliability of information managed within Wekan. Since the attacker only needs read access to export board data and obtain IDs, the risk of exploitation is significant.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability involves unauthorized modification of custom fields on Wekan boards through API endpoints by exploiting an IDOR flaw. Detection involves monitoring API requests to the custom fields endpoints for suspicious activity, such as unauthorized PUT, POST, or DELETE requests to /api/boards/:boardId/custom-fields/:customFieldId or related dropdown items endpoints.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation attempts by checking logs for API calls where the authenticated user modifies custom fields or dropdown items on boards they do not own.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect suspicious activity include:'}, {'type': 'list_item', 'content': 'Using grep or similar tools to search Wekan server logs for API calls to custom fields endpoints, e.g.:'}, {'type': 'list_item', 'content': "grep -E 'PUT /api/boards/.+/custom-fields/.+' /path/to/wekan/logs/access.log"}, {'type': 'list_item', 'content': "grep -E 'POST /api/boards/.+/custom-fields/.+/dropdown-items' /path/to/wekan/logs/access.log"}, {'type': 'list_item', 'content': "grep -E 'DELETE /api/boards/.+/custom-fields/.+/dropdown-items/.+' /path/to/wekan/logs/access.log"}, {'type': 'paragraph', 'content': 'Further detection requires correlating these API calls with user permissions and board ownership to identify unauthorized modifications.'}] [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart