Back to overview

CVE-2026-59154

MEDIUM
4.3
CVSS 3.1
Description
Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64.

Metadata

CVE ID
CVE-2026-59154
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-07-02 16:50 UTC
Published
2026-07-10 15:45 UTC
Last updated
2026-07-10 15:45 UTC
Primary CWE
CWE-863
CWE-863: Incorrect Authorization
Vendor / Product
wekan / wekan
Sources
cve.org  ·  NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
wekan wekan < 9.64
Weakness (CWE)
CWESourceDescription
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
References (3)
Back to overview