Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Hall of Fame Contents Back to Wekan Website

Contents / BFLABleed

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
-

BFLABleed

2026-05-19 Fredrik Dietrichson

Did send detailed report with full PoC and runtime verification!
  • 1. BFLABleed — Broken Function Level Authorization: 48 REST endpoints missing await on board access checks, allowing authenticated non-members to read/write any board.
  • CVSS: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)
  • Affected Wekan v9.20-v9.22
  • Fixed at See CHANGELOG
  • More details


Timeline Details
2026-05-19 Report received from Fredrik Dietrichson. 48 REST endpoints missing await on board access checks, allowing authenticated non-members to read/write any board. CVSS 8.1.
2026-05-21 Fix released. See CHANGELOG for details.


Back to Hall of Fame Contents Back to Wekan Website