Security: wekan/wekan
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan v9.45 allows unauthenticated full account takeover (incl. admin)GHSA-jggc-qvfc-jr6x published
Jun 15, 2026 by xet7Critical -
Broken access control: any authenticated user can move their Cards/Lists/Swimlanes into a private board they are not a member of (cross-board write via collection allow rule)GHSA-gm7v-pc38-53jr published
Jun 11, 2026 by xet7High -
`cloneBoard` Meteor method has no authorization check — any user can clone (read) any private board by IDGHSA-qfqv-42qw-vvwh published
Jun 6, 2026 by xet7Moderate -
Arbitrary file read and server DoS via attachment versions.original.pathGHSA-g6vm-7757-pr88 published
May 30, 2026 by xet7High -
Read-only board members can create/modify/delete Custom Fields (privilege escalation via read-level authz on write ops)GHSA-6733-4wgq-8xvr published
May 30, 2026 by xet7Moderate -
Wekan: Shell Injection via Avatar UploadGHSA-35j7-h385-2q9g published
May 30, 2026 by xet7Critical -
OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser hookGHSA-mp7g-hj5q-gxhq published
May 30, 2026 by xet7Critical -
Missing authorization on OIDC Meteor methods allows privilege escalation to adminGHSA-cv95-8h7c-2ffq published
May 30, 2026 by xet7High -
Authorization bypass in copyBoard DDP method allows any user to copy private boardsGHSA-7w2h-g83c-jqrp published
May 30, 2026 by xet7High -
Server-Side Request Forgery (SSRF) via webhook integration URLsGHSA-hc3x-hq3m-663q published
May 30, 2026 by xet7High