| Title | Wekan <8.21 IDOR via REST API / improper object relationship validation |
|---|
| Description | Certain REST endpoints for checklist items accepted boardId/cardId/checklistId parameters but did not sufficiently verify that the referenced checklist item belonged to the specified card and board. This could allow an authenticated user with access to one board to act on checklist items from another board by guessing or obtaining object IDs. The fix adds relationship checks (item.cardId, item.checklistId, card.boardId) and returns 404 when mismatched. |
|---|
| Source | ⚠️ https://github.com/wekan/wekan/commit/cabfeed9a68e21c469bf206d8655941444b9912c |
|---|
| User | MegaManSec (UID 94702) |
|---|
| Submission | 01/20/2026 12:36 PM (2 months ago) |
|---|
| Moderation | 02/04/2026 03:36 PM (15 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344265 [WeKan up to 8.20 REST API models/boards.js setBoardOrgs item.cardId/item.checklistId/card.boardId improper authorization] |
|---|
| Points | 20 |
|---|