CVE-2026-55652 in Wekan信息

摘要

由 MITRE • 2026-07-16

Wekan is open source kanban built with Meteor. Prior to 9.46, header-login with HEADER_LOGIN_TRUSTED_IPS uses getRequestIp() in server/lib/headerLoginAuth.js to trust the client-supplied X-Forwarded-For header before the real socket address, allowing an unauthenticated attacker to send HEADER_LOGIN_ID for any username and receive a meteor_login_token session, including for admin. This issue is fixed in version 9.46.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

来源

Do you need the next level of professionalism?

Upgrade your account now!