CVE-2026-53445
Received Received - Intake

Wekan Board Copy Privilege Escalation Vulnerability

Vulnerability report for CVE-2026-53445, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: GitHub, Inc.

Description

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.userId, membership, or admin access. Any authenticated user can copy a private board they are not a member of, including its cards, checklists, custom fields, labels, and rules, while the REST POST /api/boards/:boardId/copy path correctly checks board admin access. This issue is fixed in version 9.32.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wekan wekan to 9.32 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

Wekan is an open-source kanban tool built with Meteor. A vulnerability exists in versions prior to 9.32 where the copyBoard method allows any authenticated user to copy a private board they are not a member of by exploiting a missing access check. This exposes sensitive board data like cards, checklists, and rules.

Impact Analysis

An attacker could access and copy private boards containing sensitive information without proper authorization. This could lead to data leaks, unauthorized access to internal workflows, or exposure of confidential project details.

Compliance Impact

This vulnerability could violate compliance requirements by allowing unauthorized access to protected data. GDPR and HIPAA mandate strict access controls; this flaw undermines those controls, potentially leading to data breaches and non-compliance penalties.

Detection Guidance

To detect this vulnerability, check if your Wekan instance is running a version prior to 9.32. Inspect server logs for unauthorized board copy attempts via the copyBoard method. Look for REST API calls to POST /api/boards/:boardId/copy from non-admin users.

Mitigation Strategies

Upgrade Wekan to version 9.32 or later immediately. Ensure all users have appropriate access controls and review board membership permissions. Monitor for any unauthorized board copies or data exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53445. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart