Auth bypass in Wekan

CVE-2026-52893

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan Accounts.onCreateUser hook in server/models/users.js merges OIDC logins into existing accounts when the OIDC email or username matches an existing Wekan user, without…

Vulnerability class: Broken Authentication

Affected products

  • Wekan — versions < 9.32

Weakness classification (CWE)

References