CVE-2026-52893
Received Received - Intake

Account Takeover via OIDC Login Merging in Wekan

Vulnerability report for CVE-2026-52893, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan Accounts.onCreateUser hook in server/models/users.js merges OIDC logins into existing accounts when the OIDC email or username matches an existing Wekan user, without verifying ownership or checking email_verified. An attacker using an OIDC provider account with a victim's email or username can cause Wekan to merge the attacker's OIDC credentials into the victim account and then log in as that account. This issue is fixed in version 9.32.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wekan wekan 9.32

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Wekan is an open-source kanban tool built with Meteor. This vulnerability allows an attacker to take over a victim's account by exploiting OIDC login merging. If an attacker registers an OIDC account with the same email or username as an existing Wekan user, the system merges the attacker's credentials into the victim's account without verifying ownership or checking if the email is verified.

Compliance Impact

This vulnerability could lead to unauthorized access to personal or sensitive data, violating GDPR's data protection principles or HIPAA's security requirements. Organizations using Wekan may face compliance violations, legal penalties, or reputational damage if user data is compromised.

Mitigation Strategies

Upgrade Wekan to version 9.32 or later to address the vulnerability. Review OIDC login configurations to ensure proper email verification and ownership checks are enforced.

Impact Analysis

An attacker could gain unauthorized access to your Wekan account, potentially viewing, modifying, or deleting sensitive kanban board data. This could lead to data breaches, unauthorized actions, or disruption of workflows managed through Wekan.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52893. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart