PatchSiren cyber security CVE debrief
CVE-2026-53445 wekan CVE debrief
CVE-2026-53445 is a high-severity vulnerability in Wekan, an open-source kanban built with Meteor. Prior to version 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js allows any authenticated user to copy a private board, including its cards, checklists, custom fields, labels, and rules, without checking this.userId, membership, or admin access. The REST POST /api/boards/:boardId/copy path correctly checks board admin access. This issue is fixed in version 9.32.
- Vendor
- wekan
- Product
- Unknown
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Users of Wekan open source kanban built with Meteor, especially those using versions prior to 9.32, should be aware of this vulnerability and take immediate action to update to the latest version. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact on their environments and implement necessary mitigations.
Technical summary
The vulnerability exists in the copyBoard Meteor DDP method in server/publications/boards.js of Wekan. This method allows authenticated users to copy a board by supplying the board ID without proper access checks. Specifically, it does not verify this.userId, membership, or admin access. As a result, any authenticated user can copy a private board, including its associated data such as cards, checklists, custom fields, labels, and rules. This is in contrast to the REST POST /api/boards/:boardId/copy path, which correctly enforces board admin access checks. The issue has been addressed in version 9.32 of Wekan.
Defensive priority
High priority should be given to updating Wekan to version 9.32 or later due to the high severity of the vulnerability and the potential for authenticated users to copy private boards without access checks. Additionally, reviewing and restricting access to sensitive boards, monitoring for suspicious board copying activity, and implementing additional access controls for board copying are recommended defensive measures. These actions are crucial to mitigate the risk associated with this vulnerability and protect sensitive information that could be exposed through the exploitation of this issue in Wekan deployments prior to version 9.32.
Recommended defensive actions
- Update Wekan to version 9.32 or later
- Review and restrict access to sensitive boards
- Monitor for suspicious board copying activity
- Implement additional access controls for board copying
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
Evidence notes
The CVE record was published on 2026-07-15T22:17:16.973Z and was last modified on 2026-07-16T14:16:53.950Z. The NVD entry is currently Deferred. The vulnerability has a CVSS score of 7.1 and is classified as HIGH severity. Evidence is limited, and defenders should verify the affected scope and vendor guidance. The CVE details indicate that any authenticated user can copy a private board, including its cards, checklists, custom fields, labels, and rules, without proper access checks.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:17:16.973Z and has not been modified since then. The NVD entry is currently Deferred.