PT-2026-60318 · Wekan · Wekan

Published

2026-07-15

·

Updated

2026-07-16

·

CVE-2026-52892

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Wekan versions prior to 9.32
Description REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess() instead of write-level Authentication.checkBoardWriteAccess() for mutating custom-field routes. This allows a board member with read-only permissions to create, update, or delete board custom fields and dropdown items by calling the /api/boards/:boardId/custom-fields endpoint via POST, PUT, and DELETE methods.
Recommendations Update to version 9.32.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-52892

Affected Products

Wekan