PT-2026-60323 · Wekan · Wekan
Published
2026-07-15
·
Updated
2026-07-16
·
CVE-2026-53447
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Wekan versions prior to 9.35
Description
The
cloneBoard Meteor method in models/import.js fails to invoke the canExport() function or verify membership of the source board when using the sourceBoardId variable. This allows an authenticated user who possesses a private board ID to clone that board into their own account, granting unauthorized access to cards, comments, attachments, member information, and activities.Recommendations
Update to version 9.35.
Fix
IDOR
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wekan