CVE-2026-55234
Wekan · Wekan
Wekan contains multiple authorization bypass and access control vulnerabilities that allow authenticated users to perform unauthorized actions.
Executive summary
Wekan versions prior to 9.37 are vulnerable to authorization bypass flaws, potentially allowing authenticated users to perform unauthorized system operations.
Vulnerability
The application suffers from improper access control and authorization bypass through user-controlled keys. These flaws require the attacker to be an authenticated user to exploit the vulnerable functions.
Business impact
Successful exploitation allows an authenticated user to bypass security constraints, leading to unauthorized data manipulation or integrity loss within the kanban environment. Given the CVSS score of 8.5, this high-severity vulnerability poses a significant risk to project management workflows, potentially exposing sensitive internal planning data or disrupting operational productivity.
Remediation
Immediate Action: Update Wekan to version 9.37 or later immediately to incorporate the necessary security patches.
Proactive Monitoring: Review application access logs for unusual patterns of API requests or attempts to access kanban boards that fall outside of assigned user permissions.
Compensating Controls: Implement strict network segmentation and ensure that the Wekan instance is not exposed to the public internet without an authenticated proxy or VPN.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The presence of a proof-of-concept combined with the high CVSS score necessitates immediate attention. Administrators must prioritize updating to version 9.37 to mitigate the risk of unauthorized access and potential data compromise.