PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-52892 wekan CVE debrief

CVE-2026-52892 debrief: In Wekan, REST handlers for custom fields use insufficient authentication, allowing read-only board members to mutate custom fields. This issue is fixed in version 9.32. The vulnerability class is an authentication bypass, with likely operational impact on board security and data integrity. Source-confidence limits are moderate due to official CVE and NVD confirmation. Review context indicates a need for immediate attention to prevent unauthorized access.

Vendor
wekan
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Users of Wekan kanban boards should verify their board member permissions and update to version 9.32 or later to prevent unauthorized custom field modifications. Affected operators include Wekan administrators and users with read-only board access. Platform vulnerability-management and security teams should prioritize this issue due to its medium severity and potential impact on board security.

Technical summary

Wekan's REST handlers for custom fields in server/models/customFields.js incorrectly use read-level Authentication.checkBoardAccess instead of write-level Authentication.checkBoardWriteAccess. This allows read-only board members to create, update, or delete board custom fields via POST, PUT, and DELETE requests to /api/boards/:boardId/custom-fields and custom-field dropdown items. The issue is addressed in Wekan version 9.32, which fixes the authentication bypass vulnerability.

Defensive priority

Medium priority for Wekan users; verify board configurations and update to version 9.32 or later to prevent unauthorized custom field modifications.

Recommended defensive actions

  • Verify board member permissions to prevent unauthorized access.
  • Update Wekan to version 9.32 or later.
  • Monitor custom field changes for suspicious activity.
  • Review compensating controls for exposed systems while remediation is scheduled and verified.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Evidence notes

Evidence from official CVE and NVD sources confirms the authentication bypass issue in Wekan versions prior to 9.32. Limited details are available on public exploitation. The issue allows read-only board members to create, update, or delete board custom fields via POST, PUT, and DELETE requests. Wekan's custom fields use insufficient authentication, posing a medium priority risk for users. Verify board configurations and update to version 9.32 or later to prevent unauthorized custom field modifications.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:17:16.580Z and has not been modified since then.