| Title | Wekan <8.21 Improper access control on migration endpoints (CWE-284) |
|---|
| Description | Attachment-migration methods did not consistently enforce that the caller had sufficient privileges for the target board. The fix adds checks requiring the user be a board admin or instance admin for migration execution, and requires board visibility for progress/status style calls. |
|---|
| Source | ⚠️ https://github.com/wekan/wekan/commit/053bf1dfb76ef230db162c64a6ed50ebedf67eee |
|---|
| User | MegaManSec (UID 94702) |
|---|
| Submission | 01/20/2026 12:56 PM (3 months ago) |
|---|
| Moderation | 02/05/2026 11:52 AM (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344484 [WeKan up to 8.20 Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control] |
|---|
| Points | 17 |
|---|