CVE-2026-52893
Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser hook
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan Accounts.onCreateUser hook in server/models/users.js merges OIDC logins into existing accounts when the OIDC email or username matches an existing Wekan user, without verifying ownership or checking email_verified. An attacker using an OIDC provider account with a victim's email or username can cause Wekan to merge the attacker's OIDC credentials into the victim account and then log in as that account. This issue is fixed in version 9.32.
| CWE | CWE-287 |
| Vendor | wekan |
| Product | wekan |
| Published | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for wekan wekan
Be the first to know when new unknown vulnerabilities affecting wekan wekan are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
wekan / wekan
< 9.32