PT-2026-60320 · Wekan · Wekan
Publicado
2026-07-15
·
Atualizado
2026-07-15
·
CVE-2026-53444
CVSS v4.0
7.6
Alta
| Vetor | AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc server.js, server/models/org.js, and server/models/team.js are globally callable without the admin authorization checks used by their non-OIDC counterparts. Authenticated users can call setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin to create or modify organizations and teams, and groupRoutineOnLogin can grant global admin privileges when PROPAGATE OIDC DATA is enabled. This issue is fixed in version 9.32.
Correção
Missing Authorization
Improper Privilege Management
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Wekan