CVE-2026-52893 in Wekan
Summary
by MITRE • 07/16/2026
Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan Accounts.onCreateUser hook in server/models/users.js merges OIDC logins into existing accounts when the OIDC email or username matches an existing Wekan user, without verifying ownership or checking email_verified. An attacker using an OIDC provider account with a victim's email or username can cause Wekan to merge the attacker's OIDC credentials into the victim account and then log in as that account. This issue is fixed in version 9.32.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability in Wekan versions prior to 9.32 represents a critical authentication bypass and account takeover weakness that stems from improper user account merging logic within the OpenID Connect (OIDC) authentication flow. This flaw exists in the server-side implementation where the Accounts.onCreateUser hook in server/models/users.js automatically merges OIDC login credentials with existing Wekan accounts when there is a match on email or username fields. The system fails to implement proper ownership verification mechanisms that would normally be expected in secure authentication systems, creating a pathway for malicious actors to hijack legitimate user accounts.
The technical implementation of this vulnerability allows attackers to exploit the lack of email verification checking and ownership validation during the OIDC account linking process. When an attacker registers or authenticates through an OIDC provider using an email address or username that already exists in the Wekan system, the platform automatically associates the attacker's OIDC credentials with the existing account without requiring proof of account ownership. This merging behavior violates fundamental security principles and creates a direct attack vector for privilege escalation and unauthorized access to victim accounts. The flaw essentially transforms the authentication system from a secure verification mechanism into a trust-based merging process that lacks proper validation controls.
The operational impact of this vulnerability is significant as it enables sophisticated social engineering and account takeover attacks without requiring knowledge of existing user passwords or additional authentication factors. Attackers can leverage this weakness to impersonate legitimate users, access sensitive project data, modify task assignments, and potentially escalate their privileges within the Wekan environment. This vulnerability particularly affects organizations that rely on OIDC integration for user management, as it undermines the trust model between the authentication provider and the application. The risk is amplified in environments where multiple users share similar email formats or username patterns, making account takeover more likely.
This vulnerability aligns with CWE-862 (Authorization Bypass Through User Impersonation) and represents a failure to implement proper authentication binding controls as outlined in NIST SP 800-63B guidelines for identity verification. The issue also maps to ATT&CK technique T1566 (Phishing for Information) and T1078 (Valid Accounts) where attackers can leverage legitimate user credentials through manipulation of the authentication system rather than traditional credential theft methods. Organizations using Wekan versions prior to 9.32 should immediately implement mitigations including updating to version 9.32 or later, reviewing existing user account associations, and implementing additional verification mechanisms for OIDC account linking. The fix in version 9.32 addresses the core issue by introducing proper email verification checking and ownership validation before allowing account merging operations, thereby restoring the security boundary between authentication providers and user accounts.
Organizations should also consider implementing additional monitoring controls to detect unusual account merging activities and establish proper incident response procedures for potential account takeover events. The vulnerability demonstrates the importance of secure session management and proper authentication flow validation in web applications that integrate with external identity providers. Security teams should conduct comprehensive audits of their OIDC configurations and review all user account merging logic within their applications to prevent similar issues from occurring in other systems that may exhibit analogous security weaknesses in their authentication handling mechanisms.