PT-2026-60320 · Wekan · Wekan

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-53444

CVSS v4.0

7.6

High

VectorAV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan OIDC-related Meteor methods in packages/wekan-oidc/oidc server.js, server/models/org.js, and server/models/team.js are globally callable without the admin authorization checks used by their non-OIDC counterparts. Authenticated users can call setCreateOrgFromOidc, setOrgAllFieldsFromOidc, setCreateTeamFromOidc, setTeamAllFieldsFromOidc, boardRoutineOnLogin, or groupRoutineOnLogin to create or modify organizations and teams, and groupRoutineOnLogin can grant global admin privileges when PROPAGATE OIDC DATA is enabled. This issue is fixed in version 9.32.

Fix

Missing Authorization

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53444

Affected Products

Wekan