CVE-2026-59154 in Wekaninfo

Summary

by MITRE • 07/10/2026

Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in Wekan versions prior to 9.64 represents a critical authorization bypass that undermines the platform's security model for managing checklists and checklist items across different boards. This flaw exists within the direct Meteor collection allow rules implementation where the system fails to properly validate cross-board operations, creating a significant vector for unauthorized data manipulation by low-privileged users who possess write access to one board but lack membership in target private boards.

The technical root cause lies in how Meteor's collection allow rules are configured for Checklists and ChecklistItems collections. When updates occur, the authorization logic only validates against the current source document's cardId without inspecting the destination cardId or boardId present in the update modifier. This incomplete validation allows an authenticated user to exploit the system by first creating checklist data on a card they can access, then manipulating the update operation to move that checklist data into a private board where they have no membership privileges. The flaw specifically exploits the lack of proper cross-board authorization checks during the update process, enabling privilege escalation through carefully crafted operations that bypass normal access controls.

The operational impact of this vulnerability extends beyond simple unauthorized data access, as it enables potential data corruption and information leakage across private boards. An attacker with write access to one board can effectively extend their privileges to manipulate checklist data in any private board containing a card they know the identifier for, even if they are not members of those boards. This creates a scenario where sensitive information could be added to private boards or existing checklists could be modified without proper authorization, undermining the fundamental security assumptions of board-level isolation that Wekan relies upon for user privacy and data protection.

This vulnerability maps to CWE-285: "Improper Authorization" and aligns with ATT&CK technique T1078.004: "Valid Accounts: Cloud Accounts," as it exploits legitimate user credentials to perform unauthorized operations across board boundaries. The issue demonstrates a classic case of insufficient input validation and authorization checking, where the system assumes that if a user can access a source document, they should be able to manipulate related data regardless of destination board permissions. Organizations using Wekan versions prior to 9.64 are advised to immediately upgrade to version 9.64 or later, as this release includes proper cross-board authorization checks that validate both source and destination board contexts before allowing checklist modifications. Additional mitigations should include monitoring for unusual checklist creation patterns and implementing network-level controls to restrict access to Wekan instances until the upgrade is complete, ensuring that all users maintain proper access control boundaries across different boards within the application ecosystem.

Responsible

GitHub M

Reservation

07/02/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!