PatchSiren cyber security CVE debrief
CVE-2026-59154 wekan CVE debrief
A cross-board authorization bypass vulnerability exists in Wekan, a Meteor-based open-source kanban platform. This issue, tracked as CVE-2026-59154, allows a low-privileged authenticated user with write access to one board and knowledge of a target private card ID to create checklist data on an accessible card and move it into a private board where they are not a member. The vulnerability is fixed in Wekan version 9.64. This issue has a CVSS score of 4.3 and a severity of MEDIUM. Administrators and users should be aware of this vulnerability and take immediate action to update their installations.
- Vendor
- wekan
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of Wekan versions prior to 9.64 should be aware of this vulnerability and take immediate action to update their installations. This vulnerability could potentially allow unauthorized access to sensitive information or disruption of service. Users with write access to boards and knowledge of private card IDs are at risk of exploitation.
Technical summary
The vulnerability arises from the direct Meteor collection allow rules for Checklists and ChecklistItems in Wekan. Updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier. This oversight enables a low-privileged authenticated user to bypass cross-board authorization, potentially leading to unauthorized data access or modification. The issue can be mitigated by updating to Wekan version 9.64 or later.
Defensive priority
High
Recommended defensive actions
- Update Wekan to version 9.64 or later
- Restrict access to sensitive boards and cards
- Monitor for suspicious activity
- Implement additional access controls
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-10T17:17:02.113Z and last modified on 2026-07-10T21:17:00.340Z. The NVD entry is currently Deferred. Limited source detail is available. Defenders should verify the official CVE record and NVD entry for the most current information. Additional verification tasks are recommended due to the limited information provided.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:17:02.113Z and has not been modified since then. The NVD entry is currently Deferred.