Auth bypass in Wekan

CVE-2026-53445

Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.userId, membership, or admin access. Any…

Vulnerability class: Broken Access Control

Affected products

  • Wekan — versions < 9.32

Weakness classification (CWE)

References