Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to WeKan Website

Contents

See SECURITY.md how to do Responsible Security Disclosure by email to security@wekan.fi

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
GHSA-gv8h-5p3p-6hx7

ChecklistBleed

2026-06-20 DavidCarliez (coordinated disclosure) and Claude (fix)

Did send detailed report with PoC!
  • ChecklistBleed — the Checklists/ChecklistItems DDP collection allow rules (server/permissions/checklists.js, checklistItems.js) authorized an update against only the document's CURRENT (source) cardId, never the destination. A low-privileged user could move a checklist/item they own onto a card in a private board they are not a member of by $set-ting a new cardId/checklistId (boardId is then denormalized from the destination card), writing attacker-controlled checklist data into the victim's private board — same class as BoardBleed, but for the card-attached checklist documents (GHSA-gv8h-5p3p-6hx7, CWE-863)
  • CVSS:3.1 Moderate (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
  • Fixed by adding denyCrossBoardMoveByCard/denyCrossBoardMoveByChecklistItem in server/lib/utils.js and a Checklists.deny/ChecklistItems.deny update rule that rejects any move whose destination board the caller cannot write to
  • Affected Wekan v9.62 and earlier; fixed at the upcoming WeKan release
  • More details
-

InputBleed

2026-06-18 GitHub CodeQL (code scanning alert #421) and Claude (fix)

Automated code scanning flagged the incomplete sanitization.
  • InputBleed — stripHtml() in client/lib/importDependencies.js stripped HTML tags with a single pass of /<[^>]*>/g. That is incomplete: a dangling unclosed tag with no closing > (e.g. a trailing <script or <svg/onload=...) is never matched by the regex and survives untouched, leaving <script in the output; and removing one match can splice surrounding text into a new match. A crafted card-dependency ("Red Strings") import file could thus smuggle an HTML/script fragment past the sanitizer (CWE-79, CWE-80, CWE-116)
  • GitHub CodeQL code scanning alert #421, rule js/incomplete-multi-character-sanitization, severity High
  • Fixed by looping the tag-stripping replacement to a fixed point and then removing any remaining stray </> characters, so neither a complete nor a partial tag can remain
  • Fixed at Wekan v9.52 2026-06-18
  • More details
GHSA-jggc-qvfc-jr6x CVE requested

ProxyBleed

2026-06-15 rz1027 (coordinated disclosure) and Claude

Did send detailed report with PoC!
  • 1. ProxyBleed — header-login IP allowlist bypass via X-Forwarded-For spoofing (GHSA-jggc-qvfc-jr6x, CWE-290, CWE-287, CWE-348). Wekan's header-login (reverse-proxy SSO) feature gated passwordless login on a source-IP allowlist (HEADER_LOGIN_TRUSTED_IPS) but read the client-supplied X-Forwarded-For header as the source IP. An unauthenticated attacker who can reach the app port directly sends a single GET request with a spoofed X-Forwarded-For: <allowlisted-ip> plus the username header (e.g. X-Auth-User: admin) and is minted a full passwordless login session (meteor_login_token) for any existing user including admin — complete account takeover and admin impersonation. An empty allowlist also failed open
  • CVSS: 9.8 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
  • The fix derives the source IP from the real TCP socket peer, only honors X-Forwarded-For when the immediate peer is a configured trusted proxy (taking the right-most untrusted hop), and fails closed when the allowlist is unset
  • Affected Wekan v9.44 and earlier
  • Fixed at See CHANGELOG (v9.46)
  • More details
CVE-2026-55234 GHSA-gm7v-pc38-53jr

BoardBleed

2026-06-11 0xzap (coordinated disclosure) and Claude

Did send detailed report with PoC!
  • 1. BoardBleed — broken access control: any authenticated user could move their Cards/Lists/Swimlanes into a private board they are not a member of (cross-board write via collection allow rule) (CVE-2026-55234 GHSA-gm7v-pc38-53jr, CWE-284, CWE-639). The DDP write policies for Cards, Lists and Swimlanes authorized an update by checking only the document's CURRENT (source) boardId and never validated the NEW boardId in the update modifier; any logged-in user could $set boardId to a victim's private board over /cards/update, /lists/update or /swimlanes/update and inject attacker-controlled cards/lists/swimlanes into a board they cannot even read
  • CVSS: 7.x High (AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L)
  • The REST move endpoint (PUT /api/boards/:boardId/lists/:listId/cards/:cardId with newBoardId) was not affected; it checks checkBoardWriteAccess on the destination board. Only the DDP allow/deny layer was vulnerable
  • Affected Wekan v9.35 and earlier
  • Fixed at See CHANGELOG (v9.37)
  • More details
CVE requested

TokenBleed

2026-06-10 Zion Boggan (coordinated disclosure) and Claude

Did send detailed report with PoC!
  • 1. TokenBleed — unauthenticated login-token minting via un-awaited auth check in POST /api/createtoken/:userId (CWE-863, CWE-287). Authentication.checkUserId is async, so its 401/403 throws became rejected promises that a synchronous try/catch could not catch; the un-awaited call never stopped execution, so the handler minted and returned a usable login token for any user ID — including an admin — with no credentials (unauthenticated account takeover)
  • 2. The same detached-rejection bypass affected the other un-awaited checkUserId/checkAdminOrCondition handlers: GET /api/users, GET /api/users/:userId, PUT /api/users/:userId, POST /api/users/, DELETE /api/users/:userId, POST /api/deletetoken, GET /api/boards, GET /api/boards_count, DELETE /api/boards/:boardId, GET /api/users/:userId/boards and POST /api/boards/:boardId/copy (user enumeration, deletion, takeOwnership, board member changes and board deletion)
  • Affected Wekan v9.35 and earlier
  • Fixed at See CHANGELOG (v9.36)
  • More details
CVE-2026-53447 GHSA-qfqv-42qw-vvwh

CloneBleed

2026-06-04 dizconnectz (cloneBoard) and Claude (similar issues found by code review)

Did send detailed report with full PoC!
  • 1. CloneBleed — cloneBoard Meteor method had no authorization check: any user could clone (read) any private board by ID (CWE-639, CWE-862)
  • CVSS: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
  • 2. moveChecklist membership guard never ran (async helper unimported and un-awaited)
  • 3. updateListSort guard referenced an unimported function, so it never ran
  • 4. Attachment API methods/handlers called non-existent isBoardMember; card/board relationship not verified
  • 5. applyListWidth stored per-board list width with no board membership check
  • 6. getBackgroundImageURL returned any board's background by ID
  • 7. Missing-lists migration status/execute methods missing board authorization
  • 8. Attachment migration methods missing board authorization
  • 9. Outgoing webhook delivery trusted caller-supplied integration object
  • 10. userPositionHistory checkpoint methods missing board visibility check (PositionHistoryBleed class)
  • 11. Custom Field allow rules used membership not write-access — read-only members could write Custom Fields via DDP (ReadOnlyBleed class)
  • 12. Comment-reaction allow rules let read-only members add/remove reactions
  • 13. archiveBoard required only membership, not board admin (UI gates it behind admin)
  • 14. sendSMTPTestEmail required only login, not global admin
  • Affected Wekan v9.34 and earlier
  • Fixed at See CHANGELOG (v9.35)
  • More details
CVE-2026-53444 GHSA-cv95-8h7c-2ffq, CVE-2026-52893 GHSA-mp7g-hj5q-gxhq

OIDCBleed

2026-05-31 alexwaira (coordinated disclosure) and Claude

Did send detailed report!
  • 1. Missing authorization on OIDC Meteor methods allows privilege escalation to admin (CVE-2026-53444 GHSA-cv95-8h7c-2ffq, CWE-269, CWE-862). Six OIDC-flow methods were globally DDP-callable; groupRoutineOnLogin could set isAdmin from caller data
  • 2. OIDC account takeover via unconditional email-based account merge in Accounts.onCreateUser (CVE-2026-52893 GHSA-mp7g-hj5q-gxhq, CWE-287)
  • Affected Wekan v9.31 and earlier
  • Fixed at Wekan v9.32 2026-05-31
  • More details
CVE-2026-52892 GHSA-6733-4wgq-8xvr

ReadOnlyBleed

2026-05-31 Wernerina (coordinated disclosure) and Claude

Did send detailed report!
  • 1. Read-only board members could create/modify/delete Custom Fields (CVE-2026-52892 GHSA-6733-4wgq-8xvr, CWE-862). The six mutating Custom Field REST handlers used the read-level checkBoardAccess instead of checkBoardWriteAccess
  • Affected Wekan v9.31 and earlier
  • Fixed at Wekan v9.32 2026-05-31
  • More details
CVE-2026-53446 GHSA-hc3x-hq3m-663q, CVE-2026-53445 GHSA-7w2h-g83c-jqrp

WebhookBleed

2026-05-31 Claude

Found and fixed by code review.
  • 1. Server-Side Request Forgery (SSRF) via webhook integration URLs — input-side validation (CVE-2026-53446 GHSA-hc3x-hq3m-663q, CWE-918). Builds on the v8.35/v8.36 IntegrationBleed delivery-layer fix
  • 2. Authorization bypass in copyBoard DDP method allows any user to copy private boards (CVE-2026-53445 GHSA-7w2h-g83c-jqrp, CWE-862). Tightened to require board admin, matching the REST endpoint
  • 3. Regression from the avatar RCE fix (CVE-2026-52891 GHSA-35j7-h385-2q9g): external antivirus scanner broken (asyncExec undefined)
  • Affected Wekan v9.31 and earlier
  • Fixed at Wekan v9.32 2026-05-31
  • More details
CVE-2026-52890 GHSA-g6vm-7757-pr88

FileBleed

2026-05-27 Jan Kahmen of turingpoint GmbH

Reported responsibly, fixed quickly.
  • 1. Arbitrary file read and server DoS via attachment versions.original.path (CVE-2026-52890 GHSA-g6vm-7757-pr88, CWE-22, CWE-400)
  • Affected Wekan v9.30 and earlier
  • Fixed at Wekan v9.31 2026-05-27
  • More details
-

BFLABleed

2026-05-19 Fredrik Dietrichson

Did send detailed report with full PoC and runtime verification!
  • 1. BFLABleed — Broken Function Level Authorization: 48 REST endpoints missing await on board access checks, allowing authenticated non-members to read/write any board.
  • CVSS: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
  • Affected Wekan v9.20-v9.22
  • Fixed at See CHANGELOG
  • More details
-

AuthBleed

2026-05-07 11:39 EET Qiulin Deng

Did send detailed report with full PoC and runtime verification!
  • 1. OIDCBleed
  • 2. CopyCardBleed
  • 3. CopyBoardBleed
  • 4. CopyListBleed
  • 5. DueDateBleed
  • 6. CopySwimlaneBleed
  • 7. MoveListBleed
  • CVSS: 9.1 — Affected Wekan v9.08 and earlier
  • Fixed at Wekan v9.09 2026-05-07
  • More details
-

AvatarBleed

2026-05-03 13:57 EET Trung Nguyen from CyStack Security

Did send detailed report and suggested fix!
IntegrationBleed FileBleed CVE-2026-41455, IntegrationBleed RebindBleed CVE-2026-41454

IntegrationBleed

2026-02-24 15:09 EET Rodolphe GHIO

Did send detailed report and fix!
-

AnchorBleed

2026-02-12 11:16 EET The GitHub Security Lab team

Did send detailed report and fix!
  • 1. GHSL-2026-035_Wekan CursorBleed
  • 2. GHSL-2026-036_Wekan WatchBleed
  • 3. GHSL-2026-037_Wekan GlobalBleed
  • 4. GHSL-2026-044_Wekan CustomFieldBleed
  • 5. GHSL-2026-045_Wekan ImportBleed
  • Affected Wekan v8.33 and earlier
  • Fixed at Wekan v8.34 2026-02-20
  • More details
-

FloppyBleed

2026-01-24 18:30 EET Luke Hebenstreit of Twitter lheben_

Did send detailed report!
-

SnowBleed

2026-01-05 15:46 EET Joshua Rogers of Aisle Research

Did send detailed report!
  • 1. MigrationsBleed
  • 2. OrgsTeamsBleed
  • 3. ChecklistRESTBleed
  • 4. MigrationsBleed2
  • 5. PositionHistoryBleed
  • 6. SyncLDAPBleed
  • 7. AttachmentMigrationBleed
  • 8. MoveStorageBleed
  • 9. ListWIPBleed
  • 10. BoardTitleRESTBleed
  • 11. CardPubSubBleed
  • 12. FixDuplicateBleed
  • 13. LinkedBoardActivitiesBleed
  • 14. RulesBleed
  • Affected Wekan v8.19
  • Fixed at Wekan v8.20 2026-01-16 and Wekan v8.21 2026-01-18
  • More details
-

MegaBleed

2025-12-26 18:39 EET Joshua Rogers of Aisle Research

Did send detailed report!
  • 1. IDOR in setCreateTranslation. Non-admin could change Custom Translation
  • 2. Private-only board setting can be bypassed
  • 3. Card comment author spoofing (IDOR) via API
  • 4. Cross-board card move without destination authorization
  • 5. Read-only roles can still update cards
  • 6. Checklist delete IDOR: checklist not verified against board/card
  • 7. Checklist create IDOR: cardId not verified against boardId
  • 8. Attachments publication leaks metadata without auth
  • 9. Attachment upload not scoped to card/board relationship
  • 10. LDAP filter injection in LDAP auth
  • Affected Wekan v8.18
  • Fixed at Wekan v8.19 2025-12-29
  • More details
-

SpaceBleed

2025-11-02 03:29 EET Siam Thanat Hack (STH)

Did send detailed report!
  • 1. File Attachments enables stored XSS (High)
  • 2. Access to boards of any Orgs/Teams (High)
  • 3. Unauthenticated (or any) user can update board ‘sort’ (Low)
  • 4. Members can forge others’ votes (Low)
    Bonus: Similar fixes to planning poker too done by xet7.
  • 5. Attachment API uses bearer value as userId and DoS (Low)
  • Affected Wekan v8.15
  • Fixed at Wekan v8.16 2025-11-02
  • More details
CVE-2021-20654

JVN: Many fixed.

FieldBleed

JVN: 2021-2025 Many fixed.
Cyb3rjunky and swsjona about input fields. Ryoya Koyama at Mitsui Bussan Secure Directions, Inc. (https://www.mbsd.jp/) about Javascript inside .SVG attachment
Romain Korpas at apitech.fr about IDOR. Nguyen Thanh Nguyen of Fortinet's FortiGuard Labs about SVG. Sho Sugiyama about XSS. And some anonymous security researchers.

Did send detailed report!
  • XSS: Javascript saved to field, and Javascript inside .SVG attachment, is run when page is reloaded
  • Affected Wekan v3.12-v4.11
  • Fixed at Wekan v4.12 2020-06-08
  • More details
  • Fixed at WeKan v7.98 or earlier:
    • IDOR CWE-639 that affected WeKan 7.80-7.93: Romain Korpas at apitech.fr.
    • Computational Resource Abuse in Export endpoints: Anynymous Security Researcher.
    • FG-VD-22-078 Prevent SVG Billion Laughs Attack: Nguyen Thanh Nguyen of Fortinet's FortiGuard Labs.
    • usd-2022-0041 CWE-284 Improper Access Control: Christian Pöschl of usd AG.
    • JVN#14269684 Broken access control, JVN#74210258 Stored XSS, JVN#86586539 Stored XSS: Ryoua Koyama.
    • JVN#15385465 CWE-79 XSS: Sho Sugiyama.
    • JVN#80785288 CWE-79 XSS: Already previously fixed.
- SocialBleed

2023-05-11 19.14 EET Rajesh Thapa

Did send detailed report!
  • Security: Links to Social Media at wekan.fi could lead to theft of sensitive information
  • Affected Wekan website before 2024-05-12 05.34 EET
  • Fixed at Wekan website 2023-05-12 05.34 EET
  • More details
- AdminBleed

2023-04-24 16.40 EET Christian Pöschl of usd AG Responsible Disclosure Team

Did send detailed report!
  • Security: Non-Admin could change to Admin
  • Affected Wekan v6.85 and earlier
  • Fixed at Wekan v6.86 2023-04-26
  • More details
- InvisibleBleed

2023-04-24 03.35 EET Someone at chat

Sent report and disappeared.
  • Security: HTML comments not visible
  • Affected Wekan v6.85 and earlier
  • Fixed at Wekan v6.86 2023-04-26
  • More details
CVE-2023-31779 ReactionBleed

2023-02-28 12.36 EET Alexander Starikov at Jet Infosystems

Did send detailed report and fix!
- FileBleed

2023-02-16 17.35 EET SEC Consult, an Atos company

Did send detailed report!
- Emailbleed

2021-01-26 12.42 EET Georg Krause

Did send detailed report!
  • Security: SMTP password visible to Admin at Admin Panel by using browser inspect to see behind asterisks
  • Affected Wekan v1.59-v4.98
  • Fixed at Wekan v4.99 2021-02-25
  • More details
CVE-2021-3309 LDAPBleed

2021-01-26 0:42 EET robert-scheck

Did send report and sent fix! Although, report was at public GitHub issue, not via Responsible Security Disclosure
- DUEBleed

2021-01-11 EET xet7 - maintainer of Wekan

Did not notice security issue originally when merging new feature from pull request. Did fix issue when finally noticed it at production at Wekan demo server.
  • Due Cards and Broken Cards: As Admin user, at All Users view of Due Cards and Broken Cards, fixed to not show cards from other users private boards. This affected only logged in Admin user, not logged in other users.
  • Affected Wekan v4.73-v4.74
  • Fixed at Wekan v4.75 2021-01-11
  • More details
VRF#20-08-SGSSC. BypassBleed

2020-02-26 01:36 EET Dejan Zelic, Justin Benjamin and others at Offensive Security

Did send detailed report and helped fixing!
  • Auth Bypass
  • Unauthenticated SSRF
  • DoS
  • Unauthenticated Username Change
  • Unauthenticated Os Statistics
  • Affected Wekan v0.7-v3.80
  • Fixed at Wekan v3.81 2020-03-01
  • More details
VRF#20-08-DDFJJ. UserBleed

2018-06-12 Adrian Genaid at PLANTA Projektmanagement-Systeme GmbH

Did send detailed report and fix!
CVE-2018-1000549,
In Progress Update Request 938446
BruteBleed

2018-06-12 Shadow Vault

Did not report to Wekan, was found later from CVE
VRF#20-08-LZGVF. FrameBleed

2018-03-25 Team

Did send detailed report!
  • Cross Frame Scripting
  • Clickjacking
  • Improper Cache Control
  • Affected Wekan v0.7-v0.79
  • More details