PT-2026-60327 · Wekan · Wekan
Published
2026-07-15
·
Updated
2026-07-15
·
CVE-2026-55652
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Wekan is open source kanban built with Meteor. Prior to 9.46, header-login with HEADER LOGIN TRUSTED IPS uses getRequestIp() in server/lib/headerLoginAuth.js to trust the client-supplied X-Forwarded-For header before the real socket address, allowing an unauthenticated attacker to send HEADER LOGIN ID for any username and receive a meteor login token session, including for admin. This issue is fixed in version 9.46.
Fix
Authentication Bypass by Spoofing
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Wekan