CVE-2026-53444 in Wekaninfo

Summary

by MITRE • 07/15/2026

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc_server.js, server/models/org.js, and server/models/team.js are globally callable without the admin authorization checks used by their non-OIDC counterparts. Authenticated users can call setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin to create or modify organizations and teams, and groupRoutineOnLogin can grant global admin privileges when PROPAGATE_OIDC_DATA is enabled. This issue is fixed in version 9.32.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/16/2026

This vulnerability affects Wekan versions prior to 9.32 and represents a critical authorization bypass flaw within the OpenID Connect integration components. The issue stems from improper access controls in Meteor methods that handle OIDC-related operations, specifically those located in packages/wekan-oidc/oidc_server.js along with server models org.js and team.js. These methods which are designed to manage organizational and team creation and modification through OIDC authentication can be invoked globally by any authenticated user regardless of their administrative privileges.

The technical flaw manifests as a missing authorization check mechanism that should normally restrict access to these sensitive operations to administrators only. When authenticated users call methods such as setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin, they can manipulate organizational structures and team configurations without proper administrative authorization. This represents a direct violation of the principle of least privilege and allows for unauthorized modification of core organizational data within the Wekan platform.

The operational impact of this vulnerability is significant as it enables authenticated attackers to escalate their privileges and gain unauthorized access to organizational resources. When the PROPAGATE_OIDC_DATA configuration is enabled, the groupRoutineOnLogin method can grant global administrator privileges to users, effectively allowing an attacker to assume complete control over the Wekan instance. This creates a pathway for privilege escalation that could lead to data compromise, unauthorized access to boards and teams, and potential lateral movement within the organization's collaborative environment.

The vulnerability aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient authorization checks in web applications. From an ATT&CK perspective, this issue maps to privilege escalation techniques where attackers can leverage weak access controls to gain higher privileges than initially intended. The flaw demonstrates poor input validation and access control implementation within the OIDC integration framework, allowing any authenticated user to perform administrative functions that should be restricted to authorized personnel only.

Organizations using Wekan versions prior to 9.32 should immediately implement mitigations including upgrading to version 9.32 or later where the authorization checks have been properly implemented. Additional defensive measures include monitoring for unusual organization and team creation patterns, reviewing user access logs for unauthorized administrative activities, and ensuring that PROPAGATE_OIDC_DATA is disabled if not strictly required. Security teams should also consider implementing network-level restrictions on OIDC-related endpoints and conducting thorough access control reviews to identify any potential exploitation attempts that may have occurred prior to the fix implementation.

Responsible

GitHub M

Reservation

06/09/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!