CVE-2026-59154
Received Received - Intake

Cross-Board Authorization Bypass in Wekan

Vulnerability report for CVE-2026-59154, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wekan wekan 9.64
wekan wekan to 9.64 (inc)
wekan wekan to 9.64 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59154 is a moderate severity vulnerability in Wekan, an open source Kanban board application. The issue is an authorization bypass in the Meteor collection allow rules for Checklists and ChecklistItems. Specifically, the rules only check authorization against the source card's board but do not verify the destination card or board when a checklist or checklist item is moved. This allows a low-privileged authenticated user with write access to one board to create checklist data on their own card and then move it into a private board where they are not a member, provided they know the target private card ID. This bypasses the intended access controls and allows unauthorized writing of checklist data into another user's private board.

Impact Analysis

This vulnerability can allow an attacker with low privileges on one board to inject or move checklist data into private boards they do not have access to. This means unauthorized users can write data into private boards, potentially leading to data integrity issues, unauthorized data manipulation, and exposure of private board contents indirectly through injected data. The attacker does not need to be a member of the target board but must know a private card ID on that board.

Detection Guidance

This vulnerability involves unauthorized cross-board updates to checklist and checklist item documents in Wekan. Detection involves monitoring for suspicious direct Meteor collection updates where a checklist or checklist item is moved from a board the user has access to, to a private board where they are not a member.

Specifically, detection can focus on identifying updates to the Checklists or ChecklistItems collections where the cardId or boardId is changed to a destination card or board that the user should not have access to.

Since the exploit requires knowledge of a target private card ID and uses direct Meteor collection updates, network or application logs could be inspected for unusual update operations on these collections.

Suggested commands or approaches include:

  • Review application logs for update operations on Checklists and ChecklistItems collections that change cardId or boardId fields.
  • Use Meteor server-side logging or debugging tools to trace calls to Checklists.before.update hooks to detect unauthorized cross-board moves.
  • If network monitoring is possible, filter for Meteor DDP update messages that modify checklist or checklist item documents with destination cardId or boardId different from the source.
  • Check for any direct database updates bypassing application-level authorization that change checklist or checklist item ownership or board association.
Mitigation Strategies

The primary mitigation step is to upgrade Wekan to version 9.64 or later, where this vulnerability is fixed.

The fix involves adding deny rules that prevent unauthorized cross-board moves of checklist and checklist item documents by verifying both source and destination board permissions.

Until the upgrade can be applied, consider restricting write access to boards and monitoring for suspicious checklist or checklist item updates that change cardId or boardId to private boards.

  • Upgrade Wekan to version 9.64 or newer.
  • Apply deny rules or patches that check destination board authorization before allowing updates to checklist or checklist item cardId or boardId.
  • Restrict user permissions to minimize write access to boards where possible.
  • Monitor logs for unauthorized cross-board checklist or checklist item updates.
Compliance Impact

The vulnerability allows a low-privileged authenticated user to bypass authorization controls and write checklist data into private boards where they are not members. This unauthorized data access and modification could lead to exposure or alteration of sensitive or private information.

Such unauthorized access and data manipulation may impact compliance with data protection regulations like GDPR or HIPAA, which require strict access controls and protection of personal or sensitive data. The breach of authorization boundaries could result in non-compliance due to potential unauthorized disclosure or modification of protected information.

However, the provided information does not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59154. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart