PT-2026-60327 · Wekan · Wekan

Published

2026-07-15

·

Updated

2026-07-15

·

CVE-2026-55652

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Wekan is open source kanban built with Meteor. Prior to 9.46, header-login with HEADER LOGIN TRUSTED IPS uses getRequestIp() in server/lib/headerLoginAuth.js to trust the client-supplied X-Forwarded-For header before the real socket address, allowing an unauthenticated attacker to send HEADER LOGIN ID for any username and receive a meteor login token session, including for admin. This issue is fixed in version 9.46.

Fix

Authentication Bypass by Spoofing

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55652

Affected Products

Wekan