๐Ÿ” CVE Alert

CVE-2026-53444

UNKNOWN 0.0

Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc_server.js, server/models/org.js, and server/models/team.js are globally callable without the admin authorization checks used by their non-OIDC counterparts. Authenticated users can call setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin to create or modify organizations and teams, and groupRoutineOnLogin can grant global admin privileges when PROPAGATE_OIDC_DATA is enabled. This issue is fixed in version 9.32.

CWE CWE-269 CWE-862
Vendor wekan
Product wekan
Published Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for wekan wekan

Be the first to know when new unknown vulnerabilities affecting wekan wekan are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

wekan / wekan
< 9.32

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/wekan/wekan/security/advisories/GHSA-cv95-8h7c-2ffq github.com: https://github.com/wekan/wekan/commit/305864f0c77456ad0f2c1e616266c8a06749c951 github.com: https://github.com/wekan/wekan/releases/tag/v9.32