PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59154 wekan CVE debrief

A cross-board authorization bypass vulnerability exists in Wekan, a Meteor-based open-source kanban platform. This issue, tracked as CVE-2026-59154, allows a low-privileged authenticated user with write access to one board and knowledge of a target private card ID to create checklist data on an accessible card and move it into a private board where they are not a member. The vulnerability is fixed in Wekan version 9.64. This issue has a CVSS score of 4.3 and a severity of MEDIUM. Administrators and users should be aware of this vulnerability and take immediate action to update their installations.

Vendor
wekan
Product
Unknown
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Administrators and users of Wekan versions prior to 9.64 should be aware of this vulnerability and take immediate action to update their installations. This vulnerability could potentially allow unauthorized access to sensitive information or disruption of service. Users with write access to boards and knowledge of private card IDs are at risk of exploitation.

Technical summary

The vulnerability arises from the direct Meteor collection allow rules for Checklists and ChecklistItems in Wekan. Updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier. This oversight enables a low-privileged authenticated user to bypass cross-board authorization, potentially leading to unauthorized data access or modification. The issue can be mitigated by updating to Wekan version 9.64 or later.

Defensive priority

High

Recommended defensive actions

  • Update Wekan to version 9.64 or later
  • Restrict access to sensitive boards and cards
  • Monitor for suspicious activity
  • Implement additional access controls
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-10T17:17:02.113Z and last modified on 2026-07-10T21:17:00.340Z. The NVD entry is currently Deferred. Limited source detail is available. Defenders should verify the official CVE record and NVD entry for the most current information. Additional verification tasks are recommended due to the limited information provided.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:17:02.113Z and has not been modified since then. The NVD entry is currently Deferred.