PatchSiren cyber security CVE debrief
CVE-2026-53447 wekan CVE debrief
CVE-2026-53447 is a vulnerability in the Wekan open-source kanban built with Meteor. The cloneBoard Meteor method in models/import.js allows an authenticated user to clone a private board into their own account and read its cards, comments, attachments, member information, and activities without proper authorization checks. This issue is fixed in version 9.35. The vulnerability has a CVSS score of 6.5 and a MEDIUM severity. Users of Wekan kanban software, especially those with private boards, should be aware of this vulnerability.
- Vendor
- wekan
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-15
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-15
- Advisory updated
- 2026-07-16
Who should care
Users of Wekan kanban software, especially those with private boards, should be aware of this vulnerability. An authenticated user with knowledge of a private board ID can exploit this issue to access sensitive information. Wekan administrators should review their board configurations and ensure proper authorization checks are in place.
Technical summary
The vulnerability exists in the cloneBoard Meteor method in models/import.js of the Wekan open-source kanban software built with Meteor. This method uses a caller-supplied sourceBoardId to build a board export through models/exporter.js without invoking canExport() or checking source-board membership. Consequently, any authenticated user who knows a private board ID can clone the board into their own account and read its cards, comments, attachments, member information, and activities without proper authorization checks. This issue allows unauthorized access to sensitive board information and has been fixed in version 9.35.
Defensive priority
Medium priority due to the CVSS score of 6.5 and the potential for unauthorized access to sensitive board information. Defenders should prioritize upgrading to version 9.35 or later and restrict access to board IDs to prevent exploitation.
Recommended defensive actions
- Upgrade Wekan to version 9.35 or later
- Restrict access to board IDs and ensure proper authorization checks
- Monitor for suspicious cloning activities
- Implement additional logging and auditing for board access
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-15T22:17:17.240Z and last modified on 2026-07-16T19:16:49.980Z. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The cloneBoard Meteor method in models/import.js allows an authenticated user to clone a private board into their own account and read its cards, comments, attachments, member information, and activities without proper authorization checks.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-15T22:17:17.240Z and has not been modified since then. The NVD entry is currently Deferred.