Contents / AuthBleed

CVE	Vulnerability name	Date	Responsible Security Disclosure by	Vulnerabilities
-	AuthBleed	2026-05-07 11:39 EET	Qiulin Deng Did send detailed report with full PoC and runtime verification!	1. OIDCBleed — Unauthenticated getServiceConfiguration("oidc") returns full OIDC config including client secret 2. CopyCardBleed — Unauthenticated cloning of a victim private card into attacker board 3. CopyBoardBleed — Unauthenticated cloning of an entire private board with post-copy permission tampering 4. CopyListBleed — Logged-in low-privilege user can clone a victim private list into attacker board 5. DueDateBleed — Logged-in low-privilege user can insert cards into another user's private board 6. CopySwimlaneBleed — Unauthenticated cloning of a victim private swimlane, list, and card 7. MoveListBleed — Logged-in low-privilege user causes destructive partial state changes on victim private list CVSS: 9.1 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L) Affected Wekan v9.08 and earlier Fixed at Wekan v9.09 2026-05-07

Timeline	Details
2026-05-07 11:39 EET	Report received from Qiulin Deng. 7 confirmed authorization vulnerabilities in Wekan v9.08: OIDC config disclosure, unauthorized copyCard, copyBoard, copyList, createCardWithDueDate, copySwimlane, and moveList. CVSS 9.1.
2026-05-07 17:00 EET	Fixed at Wekan v9.09 2026-05-07