CVE-2026-53445 in Wekaninfo

Summary

by MITRE • 07/16/2026

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.userId, membership, or admin access. Any authenticated user can copy a private board they are not a member of, including its cards, checklists, custom fields, labels, and rules, while the REST POST /api/boards/:boardId/copy path correctly checks board admin access. This issue is fixed in version 9.32.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in Wekan versions prior to 9.32 represents a critical authorization flaw that undermines the platform's access control mechanisms. This issue specifically affects the Meteor DDP method implemented in server/publications/boards.js where the copyBoard functionality fails to validate user permissions before executing board duplication operations. The flaw exists because the method does not verify whether the requesting user possesses the necessary administrative privileges or membership status for the target board, creating a significant security gap that allows unauthorized access to protected board content.

The technical implementation of this vulnerability stems from an inconsistent security approach within the Wekan codebase where different API endpoints employ varying levels of access control validation. While the REST POST /api/boards/:boardId/copy endpoint properly implements administrative access checks through userId verification and membership validation, the Meteor DDP copyBoard method bypasses these critical security measures entirely. This discrepancy creates a dangerous scenario where authenticated users can exploit the weaker authorization check to copy private boards they do not legitimately own or have access to.

The operational impact of this vulnerability extends far beyond simple unauthorized access, as it enables comprehensive data exfiltration from private boards. When an authenticated user exploits this flaw, they gain the ability to replicate entire board structures including cards, checklists, custom fields, labels, and automated rules, effectively compromising the confidentiality and integrity of sensitive project management information. This vulnerability directly violates the principle of least privilege and undermines the fundamental security model that private boards are designed to enforce.

This issue aligns with CWE-284 (Improper Access Control) and represents a clear violation of the principle that access controls should be enforced at multiple levels within application architecture. From an ATT&CK perspective, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as it enables attackers to leverage legitimate authentication tokens to gain unauthorized access to protected resources. The vulnerability also demonstrates poor input validation practices where the system fails to properly sanitize and validate caller-supplied board IDs against user permissions, creating a path for privilege escalation.

Organizations utilizing Wekan versions prior to 9.32 should immediately implement mitigation strategies including restricting network access to the Meteor DDP endpoints, implementing additional monitoring for unauthorized board copying activities, and ensuring all users operate with the principle of least privilege. The fix implemented in version 9.32 addresses this by introducing proper userId verification and membership checks within the copyBoard method, aligning the DDP endpoint behavior with the REST API's established security model. This remediation ensures that only authorized administrators or members can duplicate boards, restoring the intended access control boundaries for private board content.

Responsible

GitHub M

Reservation

06/09/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!