Auth bypass in Wekan

CVE-2026-53444

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc_server.js, server/models/org.js, and server/models/team.js are globally callable without the admin authorization ch…

Vulnerability class: Privilege Escalation

Affected products

  • Wekan — versions < 9.32

Weakness classification (CWE)

References