Hall of Fame image from https://openclipart.org/detail/120343/trophy
Back to Hall of Fame Contents Back to Wekan Website

Contents / ReadOnlyBleed

CVE Vulnerability name Date Responsible Security Disclosure by Vulnerabilities
CVE-2026-52892 GHSA-6733-4wgq-8xvr

ReadOnlyBleed

2026-05-31 Wernerina (coordinated disclosure) and Claude

Did send detailed report!
  • 1. Read-only members could write Custom Fields
  • Affected Wekan v9.31 and earlier
  • Fixed at Wekan v9.32 2026-05-31


Details

Read-only board members could create/modify/delete Custom Fields (CVE-2026-52892 GHSA-6733-4wgq-8xvr, CWE-862)

All six mutating REST handlers in server/models/customFields.js (POST/PUT custom-fields, POST/PUT/DELETE dropdown-items, DELETE custom-fields) called the read-level Authentication.checkBoardAccess instead of the write-level checkBoardWriteAccess, letting a board member with the read-only role (isReadOnly / isReadAssignedOnly) write Custom Field data via the REST API when WITH_API=true. This is a privilege escalation via read-level authorization on write operations.

Fix: replaced the check with checkBoardWriteAccess in all six mutating handlers (the two GET handlers correctly stay on checkBoardAccess), mirroring lists.js/swimlanes.js/cards.js.



Timeline Details
2026-05 Report received from Wernerina (coordinated disclosure).
2026-05-31 Fixed at Wekan v9.32 2026-05-31


Back to Hall of Fame Contents Back to Wekan Website