๐Ÿ” CVE Alert

CVE-2026-53445

UNKNOWN 0.0

Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.userId, membership, or admin access. Any authenticated user can copy a private board they are not a member of, including its cards, checklists, custom fields, labels, and rules, while the REST POST /api/boards/:boardId/copy path correctly checks board admin access. This issue is fixed in version 9.32.

CWE CWE-862
Vendor wekan
Product wekan
Published Jul 15, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for wekan wekan

Be the first to know when new unknown vulnerabilities affecting wekan wekan are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

wekan / wekan
< 9.32

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/wekan/wekan/security/advisories/GHSA-7w2h-g83c-jqrp github.com: https://github.com/wekan/wekan/commit/8940a103970c5da3f02b3615eef09fabfff421e3 github.com: https://github.com/wekan/wekan/releases/tag/v9.32