| Title | Wekan <8.21 Authorization bypass (CWE-284) |
|---|
| Description | WIP limit related operations did not consistently enforce that only authorized users (typically and normally board admins) could change list WIP settings, allowing authentication bypasses for Wekan WIP. The fix adds explicit authorization checks to ensure only permitted users can modify WIP limits.
|
|---|
| Source | ⚠️ https://github.com/wekan/wekan/commit/8c0b4f79d8582932528ec2fdf2a4487c86770fb9 |
|---|
| User | MegaManSec (UID 94702) |
|---|
| Submission | 01/20/2026 12:58 PM (3 months ago) |
|---|
| Moderation | 02/05/2026 11:52 AM (16 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 344267 [WeKan up to 8.20 Attachment Storage models/lists.js applyWipLimit ListWIPBleed access control] |
|---|
| Points | 0 |
|---|