CVE-2026-55652

Wekan · Wekan

Wekan improperly trusts client-supplied X-Forwarded-For headers during header-based authentication, allowing unauthenticated attackers to spoof identities and gain administrative access.

Executive summary

A critical authentication bypass in Wekan allows unauthenticated attackers to spoof any user identity, including administrative accounts, to gain full access to the application.

Vulnerability

The application trusts the X-Forwarded-For header to determine the client IP address for header-login authentication. An unauthenticated attacker can manipulate this header to bypass authentication checks and impersonate any user, including system administrators.

Business impact

By spoofing an administrator account, an attacker gains complete control over the Wekan instance. This allows for the modification of boards, theft of sensitive project data, and the potential to disrupt all project management operations. The 9.8 CVSS score highlights the extreme risk associated with trivial authentication bypasses.

Remediation

Immediate Action: Update Wekan to version 9.46 or later to enforce secure authentication practices.

Proactive Monitoring: Monitor authentication logs for suspicious login patterns or unexpected administrative actions from untrusted IP ranges.

Compensating Controls: Configure reverse proxies or load balancers to strip or sanitize the X-Forwarded-For header before it reaches the Wekan application.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This is a critical security flaw that renders standard authentication ineffective. Immediate patching is mandatory to secure the environment against unauthorized access. If the update cannot be applied immediately, ensure that the application is not exposed to the public internet and that header-based authentication is disabled.