CVE-2026-55234

Wekan · Wekan

Wekan contains multiple authorization bypass and access control vulnerabilities that allow authenticated users to perform unauthorized actions.

Executive summary

Wekan versions prior to 9.37 are vulnerable to authorization bypass flaws, potentially allowing authenticated users to perform unauthorized system operations.

Vulnerability

The application suffers from improper access control and authorization bypass through user-controlled keys. These flaws require the attacker to be an authenticated user to exploit the vulnerable functions.

Business impact

Successful exploitation allows an authenticated user to bypass security constraints, leading to unauthorized data manipulation or integrity loss within the kanban environment. Given the CVSS score of 8.5, this high-severity vulnerability poses a significant risk to project management workflows, potentially exposing sensitive internal planning data or disrupting operational productivity.

Remediation

Immediate Action: Update Wekan to version 9.37 or later immediately to incorporate the necessary security patches.

Proactive Monitoring: Review application access logs for unusual patterns of API requests or attempts to access kanban boards that fall outside of assigned user permissions.

Compensating Controls: Implement strict network segmentation and ensure that the Wekan instance is not exposed to the public internet without an authenticated proxy or VPN.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The presence of a proof-of-concept combined with the high CVSS score necessitates immediate attention. Administrators must prioritize updating to version 9.37 to mitigate the risk of unauthorized access and potential data compromise.