CVE-2026-53447

Source
https://cve.org/CVERecord?id=CVE-2026-53447
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53447.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-53447
Aliases
  • GHSA-qfqv-42qw-vvwh
Published
2026-07-15T21:12:59.647Z
Modified
2026-07-18T03:41:54.756382286Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Wekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) any private board by ID
Details

Wekan is open source kanban built with Meteor. Prior to 9.35, the Wekan cloneBoard Meteor method in models/import.js uses caller-supplied sourceBoardId to build a board export through models/exporter.js without invoking canExport() or checking source-board membership. Any authenticated user who knows a private board ID can clone the board into their own account and read its cards, comments, attachments, member information, and activities. This issue is fixed in version 9.35.

Database specific
{
    "cwe_ids": [
        "CWE-639",
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/53xxx/CVE-2026-53447.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/wekan/wekan

Affected ranges

Type
GIT
Repo
https://github.com/wekan/wekan
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.35"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

4.*
4.30
4.31
Other
stable
v0.*
v0.10-rc2
v0.10.0
v0.10.0-rc1
v0.10.0-rc3
v0.10.0-rc4
v0.11.0-rc1
v0.11.0-rc2
v0.11.1-rc1
v0.11.1-rc2
v0.12
v0.13
v0.16
v0.17
v0.18
v0.19
v0.20
v0.21
v0.22
v0.23
v0.24
v0.25
v0.26
v0.27
v0.28
v0.29
v0.30
v0.31
v0.32
v0.33
v0.34
v0.35
v0.36
v0.37
v0.38
v0.39
v0.40
v0.41
v0.42
v0.43
v0.44
v0.45
v0.46
v0.47
v0.48
v0.49
v0.50
v0.51
v0.52
v0.54
v0.55
v0.56
v0.57
v0.58
v0.59
v0.60
v0.61
v0.62
v0.63
v0.65
v0.66
v0.67
v0.68
v0.69
v0.70
v0.71
v0.72
v0.73
v0.74
v0.75
v0.76
v0.77
v0.78
v0.79
v0.80
v0.81
v0.82
v0.83
v0.84
v0.85
v0.86
v0.87
v0.88
v0.89
v0.9.0-rc1
v0.9.0-rc2
v0.90
v0.91
v0.92
v0.93
v0.94
v0.95
v1.*
v1.06
v1.07
v1.08
v1.09
v1.10
v1.11
v1.12
v1.13
v1.14
v1.15
v1.16
v1.17
v1.18
v1.19
v1.20
v1.21
v1.23
v1.24
v1.25
v1.26
v1.27
v1.29
v1.30
v1.31
v1.32
v1.33
v1.34
v1.35
v1.36
v1.37
v1.38
v1.39
v1.40
v1.41
v1.42
v1.43
v1.44
v1.45
v1.46
v1.47
v1.49-edge-1
v1.49.1
v1.50.1
v1.50.2
v1.50.3
v1.51.1
v1.51.2
v1.52.1
v1.53.1
v1.53.2
v1.53.3
v1.53.4
v1.53.5
v1.53.6
v1.53.7
v1.53.8
v1.53.9
v1.55.1
v1.57
v1.58
v1.59
v1.60
v1.61
v1.62
v1.63
v1.64
v1.64.1
v1.64.2
v1.65
v1.66
v1.67
v1.68
v1.69
v1.69.2
v2.*
v2.60.1
v2.94
v2.98
v2.99
v3.*
v3.00
v3.01
v3.02
v3.03
v3.04
v3.05
v3.06
v3.07
v3.08
v3.09
v3.10
v3.11
v3.12
v3.13
v3.14
v3.15
v3.16
v3.17
v3.18
v3.19
v3.20
v3.21
v3.22
v3.23
v3.24
v3.25
v3.26
v3.27
v3.29
v3.30
v3.31
v3.32
v3.33
v3.34
v3.35
v3.36
v3.37
v3.38
v3.39
v3.40
v3.41
v3.42
v3.43
v3.44
v3.45
v3.46
v3.47
v3.48
v3.49
v3.50
v3.51
v3.52
v3.53
v3.54
v3.55
v3.56
v3.57
v3.58
v3.59
v3.60
v3.61
v3.62
v3.63
v3.64
v3.65
v3.66
v3.67
v3.68
v3.69
v3.70
v3.71
v3.73
v3.74
v3.75
v3.76
v3.77
v3.78
v3.79
v3.80
v3.81
v3.82
v3.83
v3.84
v3.85
v3.86
v3.87
v3.88
v3.89
v3.90
v3.91
v3.92
v3.93
v3.94
v3.95
v3.96
v3.97
v3.98
v3.99
v4.*
v4.00
v4.01
v4.02
v4.03
v4.04
v4.05
v4.06
v4.07
v4.08
v4.09
v4.10
v4.11
v4.12
v4.13
v4.14
v4.15
v4.16
v4.17
v4.18
v4.19
v4.20
v4.21
v4.22
v4.23
v4.24
v4.25
v4.26
v4.27
v4.28
v4.29
v4.32
v4.33
v4.34
v4.35
v4.36
v4.37
v4.38
v4.39
v4.40
v4.41
v4.42
v4.43
v4.44
v4.45
v4.46
v4.47
v4.48
v4.49
v4.50
v4.51
v4.52
v4.53
v4.54
v4.55
v4.56
v4.57
v4.58
v4.59
v4.60
v4.61
v4.62
v4.63
v4.64
v4.65
v4.66
v4.67
v4.68
v4.69
v4.70
v4.71
v4.72
v4.73
v4.74
v4.75
v4.76
v4.77
v4.78
v4.79
v4.80
v4.81
v4.82
v4.83
v4.84
v4.85
v4.86
v4.87
v4.88
v4.89
v4.90
v4.91
v4.92
v4.93
v4.94
v4.95
v4.96
v4.98
v4.99
v5.*
v5.00
v5.01
v5.02
v5.03
v5.04
v5.05
v5.06
v5.07
v5.08
v5.09
v5.10
v5.11
v5.12
v5.13
v5.14
v5.15
v5.16
v5.17
v5.18
v5.19
v5.20
v5.21
v5.22
v5.23
v5.24
v5.25
v5.26
v5.27
v5.29
v5.30
v5.31
v5.32
v5.33
v5.34
v5.35
v5.36
v5.37
v5.38
v5.39
v5.40
v5.41
v5.42
v5.43
v5.44
v5.45
v5.46
v5.47
v5.48
v5.49
v5.50
v5.51
v5.52
v5.53
v5.54
v5.55
v5.56
v5.57
v5.58
v5.59
v5.60
v5.61
v5.62
v5.63
v5.64
v5.65
v5.66
v5.67
v5.68
v5.69
v5.70
v5.71
v5.72
v5.73
v5.74
v5.75
v5.76
v5.77
v5.78
v5.79
v5.80
v5.81
v5.82
v5.83
v5.84
v5.85
v5.86
v5.87
v5.88
v5.89
v5.90
v5.91
v5.92
v5.93
v5.94
v5.95
v5.96
v5.97
v5.98
v5.99
v6.*
v6.00
v6.01
v6.02
v6.03
v6.04
v6.05
v6.10
v6.11
v6.12
v6.13
v6.14
v6.15
v6.16
v6.17
v6.18
v6.23
v6.24
v6.25
v6.26
v6.27
v6.28
v6.29
v6.30
v6.31
v6.32
v6.33
v6.34
v6.35
v6.36
v6.37
v6.38
v6.39
v6.40
v6.41
v6.42
v6.43
v6.44
v6.45
v6.46
v6.47
v6.48
v6.49
v6.50
v6.51
v6.52
v6.53
v6.54
v6.55
v6.56
v6.57
v6.58
v6.59
v6.60
v6.61
v6.62
v6.65
v6.67
v6.68
v6.69
v6.70
v6.71
v6.72
v6.73
v6.74
v6.75
v6.76
v6.77
v6.78
v6.79
v6.80
v6.81
v6.82
v6.83
v6.84
v6.85
v6.86
v6.87
v6.88
v6.89
v6.90
v6.91
v6.92
v6.93
v6.95
v6.96
v6.97
v6.98
v6.99
v6.99.1
v6.99.2
v6.99.3
v6.99.4
v6.99.5
v6.99.6
v6.99.7
v6.99.8
v6.99.9
v7.*
v7.00
v7.01
v7.02
v7.03
v7.04
v7.05
v7.06
v7.07
v7.08
v7.09
v7.10
v7.11
v7.12
v7.14
v7.15
v7.16
v7.17
v7.18
v7.19
v7.20
v7.21
v7.22
v7.23
v7.24
v7.25
v7.26
v7.27
v7.28
v7.29
v7.30
v7.31
v7.32
v7.33
v7.34
v7.35
v7.36
v7.37
v7.38
v7.39
v7.40
v7.41
v7.42
v7.43
v7.44
v7.45
v7.46
v7.47
v7.48
v7.49
v7.50
v7.51
v7.52
v7.53
v7.54
v7.55
v7.56
v7.57
v7.58
v7.59
v7.60
v7.61
v7.62
v7.63
v7.64
v7.65
v7.67
v7.68
v7.69
v7.70
v7.71
v7.72
v7.73
v7.74
v7.75
v7.76
v7.77
v7.78
v7.79
v7.80
v7.81
v7.82
v7.83
v7.84
v7.85
v7.86
v7.87
v7.88
v7.89
v7.90
v7.91
v7.92
v7.93
v7.95
v7.96
v7.97
v7.98
v7.99
v8.*
v8.00
v8.01
v8.02
v8.03
v8.04
v8.05
v8.06
v8.08
v8.09
v8.10
v8.11
v8.12
v8.14
v8.15
v8.16
v8.17
v8.18
v8.19
v8.20
v8.21
v8.22
v8.23
v8.24
v8.25
v8.26
v8.27
v8.28
v8.29
v8.30
v8.31
v8.32
v8.33
v8.34
v8.38
v8.39
v8.40
v8.43
v8.44
v8.45
v8.46
v8.47
v8.48
v8.49
v8.50
v8.51
v8.52
v8.53
v8.54
v8.55
v8.56
v8.57
v8.58
v8.59
v8.60
v8.61
v8.62
v8.63
v8.64
v8.65
v8.67
v8.68
v8.69
v8.70
v8.71
v8.72
v8.73
v8.74
v8.75
v8.76
v8.77
v8.78
v8.79
v8.80
v8.81
v8.82
v8.83
v8.84
v8.85
v8.86
v8.87
v8.88
v8.89
v8.90
v8.91
v8.92
v8.93
v8.94
v8.97
v8.98
v9.*
v9.00
v9.01
v9.02
v9.03
v9.04
v9.05
v9.06
v9.07
v9.08
v9.09
v9.10
v9.11
v9.12
v9.14
v9.15
v9.16
v9.17
v9.18
v9.19
v9.20
v9.21
v9.22
v9.23
v9.24
v9.25
v9.26
v9.27
v9.28
v9.29
v9.30
v9.31

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-53447.json"