CVE-2026-30843

Name of the Vulnerable Software and Affected Versions Wekan versions 8.32 through 8.33

Description Wekan is an open-source kanban tool built with Meteor. Versions 8.32 and 8.33 contain a critical Insecure Direct Object Reference (IDOR) issue. This allows unauthorized users to modify custom fields across different boards through custom fields update endpoints, potentially leading to unauthorized data manipulation. The /api/boards/:boardId/custom-fields/:customFieldId API endpoint validates user access to the specified boardId, but the subsequent database update uses only the custom field’s id as a filter without verifying that the field actually belongs to that board. An attacker who owns any board can modify custom fields on any other board by providing a foreign custom field ID. This flaw also exists in the POST, PUT, and DELETE endpoints for dropdown items under custom fields. Required custom field IDs can be obtained by exporting a board, which only requires read access, as the exported JSON includes the IDs of all board components. The authorization check is performed against the incorrect resource, enabling cross-board custom field manipulation.

Recommendations Wekan version 8.34 contains a fix for this vulnerability. Update to version 8.34 to resolve the issue.