CVE-2026-59154: Wekan Authorization Bypass Vulnerability Disclosed
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A critical vulnerability, CVE-2026-59154, was published on July 10, 2026, affecting Wekan, an open-source kanban tool built with Meteor. The flaw allows low-privileged authenticated users with write access to one board to bypass authorization checks, enabling them to create checklist data on accessible cards and move it into private boards where they are not members. This vulnerability is due to the lack of inspection of destination cardId or boardId in update modifiers. It has been assigned a CVSS base score of 4.3, indicating medium risk. The issue has been resolved in version 9.64 of Wekan. Security professionals are advised to update to the latest version to mitigate this risk.
Key Points: • CVE-2026-59154 allows unauthorized access to private boards in Wekan. • The vulnerability affects versions prior to 9.64 and has a CVSS score of 4.3. • Users are urged to upgrade to version 9.64 to address this security issue.