CVE-2026-53444 in Wekan
Summary
by MITRE • 07/15/2026
Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc_server.js, server/models/org.js, and server/models/team.js are globally callable without the admin authorization checks used by their non-OIDC counterparts. Authenticated users can call setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin to create or modify organizations and teams, and groupRoutineOnLogin can grant global admin privileges when PROPAGATE_OIDC_DATA is enabled. This issue is fixed in version 9.32.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
This vulnerability affects Wekan versions prior to 9.32 and represents a critical authorization bypass flaw within the OpenID Connect integration components. The issue stems from improper access controls in Meteor methods that handle OIDC-related operations, specifically those located in packages/wekan-oidc/oidc_server.js along with server models org.js and team.js. These methods which are designed to manage organizational and team creation and modification through OIDC authentication can be invoked globally by any authenticated user regardless of their administrative privileges.
The technical flaw manifests as a missing authorization check mechanism that should normally restrict access to these sensitive operations to administrators only. When authenticated users call methods such as setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin, they can manipulate organizational structures and team configurations without proper administrative authorization. This represents a direct violation of the principle of least privilege and allows for unauthorized modification of core organizational data within the Wekan platform.
The operational impact of this vulnerability is significant as it enables authenticated attackers to escalate their privileges and gain unauthorized access to organizational resources. When the PROPAGATE_OIDC_DATA configuration is enabled, the groupRoutineOnLogin method can grant global administrator privileges to users, effectively allowing an attacker to assume complete control over the Wekan instance. This creates a pathway for privilege escalation that could lead to data compromise, unauthorized access to boards and teams, and potential lateral movement within the organization's collaborative environment.
The vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient authorization checks in web applications. From an ATT&CK perspective, this issue maps to privilege escalation techniques where attackers can leverage weak access controls to gain higher privileges than initially intended. The flaw demonstrates poor input validation and access control implementation within the OIDC integration framework, allowing any authenticated user to perform administrative functions that should be restricted to authorized personnel only.
Organizations using Wekan versions prior to 9.32 should immediately implement mitigations including upgrading to version 9.32 or later where the authorization checks have been properly implemented. Additional defensive measures include monitoring for unusual organization and team creation patterns, reviewing user access logs for unauthorized administrative activities, and ensuring that PROPAGATE_OIDC_DATA is disabled if not strictly required. Security teams should also consider implementing network-level restrictions on OIDC-related endpoints and conducting thorough access control reviews to identify any potential exploitation attempts that may have occurred prior to the fix implementation.