PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-53447 wekan CVE debrief

CVE-2026-53447 is a vulnerability in the Wekan open-source kanban built with Meteor. The cloneBoard Meteor method in models/import.js allows an authenticated user to clone a private board into their own account and read its cards, comments, attachments, member information, and activities without proper authorization checks. This issue is fixed in version 9.35. The vulnerability has a CVSS score of 6.5 and a MEDIUM severity. Users of Wekan kanban software, especially those with private boards, should be aware of this vulnerability.

Vendor
wekan
Product
Unknown
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-15
Original CVE updated
2026-07-16
Advisory published
2026-07-15
Advisory updated
2026-07-16

Who should care

Users of Wekan kanban software, especially those with private boards, should be aware of this vulnerability. An authenticated user with knowledge of a private board ID can exploit this issue to access sensitive information. Wekan administrators should review their board configurations and ensure proper authorization checks are in place.

Technical summary

The vulnerability exists in the cloneBoard Meteor method in models/import.js of the Wekan open-source kanban software built with Meteor. This method uses a caller-supplied sourceBoardId to build a board export through models/exporter.js without invoking canExport() or checking source-board membership. Consequently, any authenticated user who knows a private board ID can clone the board into their own account and read its cards, comments, attachments, member information, and activities without proper authorization checks. This issue allows unauthorized access to sensitive board information and has been fixed in version 9.35.

Defensive priority

Medium priority due to the CVSS score of 6.5 and the potential for unauthorized access to sensitive board information. Defenders should prioritize upgrading to version 9.35 or later and restrict access to board IDs to prevent exploitation.

Recommended defensive actions

  • Upgrade Wekan to version 9.35 or later
  • Restrict access to board IDs and ensure proper authorization checks
  • Monitor for suspicious cloning activities
  • Implement additional logging and auditing for board access
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-15T22:17:17.240Z and last modified on 2026-07-16T19:16:49.980Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The cloneBoard Meteor method in models/import.js allows an authenticated user to clone a private board into their own account and read its cards, comments, attachments, member information, and activities without proper authorization checks.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:17:17.240Z and has not been modified since then. The NVD entry is currently Deferred.