๐Ÿ” CVE Alert

CVE-2026-59154

MEDIUM 4.3

Wekan: Checklist direct DDP updates can write checklist data into private boards

CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th

Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64.

CWE CWE-863
Vendor wekan
Product wekan
Published Jul 10, 2026
Last Updated Jul 10, 2026
Stay Ahead of the Next One

Get instant alerts for wekan wekan

Be the first to know when new medium vulnerabilities affecting wekan wekan are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Affected Versions

wekan / wekan
< 9.64

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/wekan/wekan/security/advisories/GHSA-gv8h-5p3p-6hx7 github.com: https://github.com/wekan/wekan/commit/b1ca76007b9a295fd029dfefc1a2d1d6f1920835 github.com: https://github.com/wekan/wekan/releases/tag/v9.64