Home

Description

Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64.

PUBLISHED Reserved 2026-07-02 | Published 2026-07-10 | Updated 2026-07-10 | Assigner GitHub_M




MEDIUM: 4.3CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-863: Incorrect Authorization

Product status

< 9.64
affected

References

github.com/.../wekan/security/advisories/GHSA-gv8h-5p3p-6hx7

github.com/...ommit/b1ca76007b9a295fd029dfefc1a2d1d6f1920835

github.com/wekan/wekan/releases/tag/v9.64

cve.org (CVE-2026-59154)

nvd.nist.gov (CVE-2026-59154)

Download JSON