CVE-2026-55234

Source
https://cve.org/CVERecord?id=CVE-2026-55234
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55234.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55234
Aliases
  • GHSA-gm7v-pc38-53jr
Published
2026-07-15T21:13:35.600Z
Modified
2026-07-18T03:41:45.347139291Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L CVSS Calculator
Summary
Wekan: Broken access control: any authenticated user can move their Cards/Lists/Swimlanes into a private board they are not a member of (cross-board write via collection allow rule)
Details

Wekan is open source kanban built with Meteor. Prior to 9.37, Wekan DDP update allow rules in server/permissions/cards.js, server/permissions/lists.js, and server/permissions/swimlanes.js authorize against the stored source boardId and do not validate a new boardId in the update modifier. Any authenticated user with write access to their own board can call /cards/update, /lists/update, or /swimlanes/update to move cards, lists, or swimlanes into a private board they are not a member of. This issue is fixed in version 9.37.

Database specific
{
    "cwe_ids": [
        "CWE-284",
        "CWE-639"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55234.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/wekan/wekan

Affected ranges

Type
GIT
Repo
https://github.com/wekan/wekan
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.37"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

4.*
4.30
4.31
Other
stable
v0.*
v0.10-rc2
v0.10.0
v0.10.0-rc1
v0.10.0-rc3
v0.10.0-rc4
v0.11.0-rc1
v0.11.0-rc2
v0.11.1-rc1
v0.11.1-rc2
v0.12
v0.13
v0.16
v0.17
v0.18
v0.19
v0.20
v0.21
v0.22
v0.23
v0.24
v0.25
v0.26
v0.27
v0.28
v0.29
v0.30
v0.31
v0.32
v0.33
v0.34
v0.35
v0.36
v0.37
v0.38
v0.39
v0.40
v0.41
v0.42
v0.43
v0.44
v0.45
v0.46
v0.47
v0.48
v0.49
v0.50
v0.51
v0.52
v0.54
v0.55
v0.56
v0.57
v0.58
v0.59
v0.60
v0.61
v0.62
v0.63
v0.65
v0.66
v0.67
v0.68
v0.69
v0.70
v0.71
v0.72
v0.73
v0.74
v0.75
v0.76
v0.77
v0.78
v0.79
v0.80
v0.81
v0.82
v0.83
v0.84
v0.85
v0.86
v0.87
v0.88
v0.89
v0.9.0-rc1
v0.9.0-rc2
v0.90
v0.91
v0.92
v0.93
v0.94
v0.95
v1.*
v1.06
v1.07
v1.08
v1.09
v1.10
v1.11
v1.12
v1.13
v1.14
v1.15
v1.16
v1.17
v1.18
v1.19
v1.20
v1.21
v1.23
v1.24
v1.25
v1.26
v1.27
v1.29
v1.30
v1.31
v1.32
v1.33
v1.34
v1.35
v1.36
v1.37
v1.38
v1.39
v1.40
v1.41
v1.42
v1.43
v1.44
v1.45
v1.46
v1.47
v1.49-edge-1
v1.49.1
v1.50.1
v1.50.2
v1.50.3
v1.51.1
v1.51.2
v1.52.1
v1.53.1
v1.53.2
v1.53.3
v1.53.4
v1.53.5
v1.53.6
v1.53.7
v1.53.8
v1.53.9
v1.55.1
v1.57
v1.58
v1.59
v1.60
v1.61
v1.62
v1.63
v1.64
v1.64.1
v1.64.2
v1.65
v1.66
v1.67
v1.68
v1.69
v1.69.2
v2.*
v2.60.1
v2.94
v2.98
v2.99
v3.*
v3.00
v3.01
v3.02
v3.03
v3.04
v3.05
v3.06
v3.07
v3.08
v3.09
v3.10
v3.11
v3.12
v3.13
v3.14
v3.15
v3.16
v3.17
v3.18
v3.19
v3.20
v3.21
v3.22
v3.23
v3.24
v3.25
v3.26
v3.27
v3.29
v3.30
v3.31
v3.32
v3.33
v3.34
v3.35
v3.36
v3.37
v3.38
v3.39
v3.40
v3.41
v3.42
v3.43
v3.44
v3.45
v3.46
v3.47
v3.48
v3.49
v3.50
v3.51
v3.52
v3.53
v3.54
v3.55
v3.56
v3.57
v3.58
v3.59
v3.60
v3.61
v3.62
v3.63
v3.64
v3.65
v3.66
v3.67
v3.68
v3.69
v3.70
v3.71
v3.73
v3.74
v3.75
v3.76
v3.77
v3.78
v3.79
v3.80
v3.81
v3.82
v3.83
v3.84
v3.85
v3.86
v3.87
v3.88
v3.89
v3.90
v3.91
v3.92
v3.93
v3.94
v3.95
v3.96
v3.97
v3.98
v3.99
v4.*
v4.00
v4.01
v4.02
v4.03
v4.04
v4.05
v4.06
v4.07
v4.08
v4.09
v4.10
v4.11
v4.12
v4.13
v4.14
v4.15
v4.16
v4.17
v4.18
v4.19
v4.20
v4.21
v4.22
v4.23
v4.24
v4.25
v4.26
v4.27
v4.28
v4.29
v4.32
v4.33
v4.34
v4.35
v4.36
v4.37
v4.38
v4.39
v4.40
v4.41
v4.42
v4.43
v4.44
v4.45
v4.46
v4.47
v4.48
v4.49
v4.50
v4.51
v4.52
v4.53
v4.54
v4.55
v4.56
v4.57
v4.58
v4.59
v4.60
v4.61
v4.62
v4.63
v4.64
v4.65
v4.66
v4.67
v4.68
v4.69
v4.70
v4.71
v4.72
v4.73
v4.74
v4.75
v4.76
v4.77
v4.78
v4.79
v4.80
v4.81
v4.82
v4.83
v4.84
v4.85
v4.86
v4.87
v4.88
v4.89
v4.90
v4.91
v4.92
v4.93
v4.94
v4.95
v4.96
v4.98
v4.99
v5.*
v5.00
v5.01
v5.02
v5.03
v5.04
v5.05
v5.06
v5.07
v5.08
v5.09
v5.10
v5.11
v5.12
v5.13
v5.14
v5.15
v5.16
v5.17
v5.18
v5.19
v5.20
v5.21
v5.22
v5.23
v5.24
v5.25
v5.26
v5.27
v5.29
v5.30
v5.31
v5.32
v5.33
v5.34
v5.35
v5.36
v5.37
v5.38
v5.39
v5.40
v5.41
v5.42
v5.43
v5.44
v5.45
v5.46
v5.47
v5.48
v5.49
v5.50
v5.51
v5.52
v5.53
v5.54
v5.55
v5.56
v5.57
v5.58
v5.59
v5.60
v5.61
v5.62
v5.63
v5.64
v5.65
v5.66
v5.67
v5.68
v5.69
v5.70
v5.71
v5.72
v5.73
v5.74
v5.75
v5.76
v5.77
v5.78
v5.79
v5.80
v5.81
v5.82
v5.83
v5.84
v5.85
v5.86
v5.87
v5.88
v5.89
v5.90
v5.91
v5.92
v5.93
v5.94
v5.95
v5.96
v5.97
v5.98
v5.99
v6.*
v6.00
v6.01
v6.02
v6.03
v6.04
v6.05
v6.10
v6.11
v6.12
v6.13
v6.14
v6.15
v6.16
v6.17
v6.18
v6.23
v6.24
v6.25
v6.26
v6.27
v6.28
v6.29
v6.30
v6.31
v6.32
v6.33
v6.34
v6.35
v6.36
v6.37
v6.38
v6.39
v6.40
v6.41
v6.42
v6.43
v6.44
v6.45
v6.46
v6.47
v6.48
v6.49
v6.50
v6.51
v6.52
v6.53
v6.54
v6.55
v6.56
v6.57
v6.58
v6.59
v6.60
v6.61
v6.62
v6.65
v6.67
v6.68
v6.69
v6.70
v6.71
v6.72
v6.73
v6.74
v6.75
v6.76
v6.77
v6.78
v6.79
v6.80
v6.81
v6.82
v6.83
v6.84
v6.85
v6.86
v6.87
v6.88
v6.89
v6.90
v6.91
v6.92
v6.93
v6.95
v6.96
v6.97
v6.98
v6.99
v6.99.1
v6.99.2
v6.99.3
v6.99.4
v6.99.5
v6.99.6
v6.99.7
v6.99.8
v6.99.9
v7.*
v7.00
v7.01
v7.02
v7.03
v7.04
v7.05
v7.06
v7.07
v7.08
v7.09
v7.10
v7.11
v7.12
v7.14
v7.15
v7.16
v7.17
v7.18
v7.19
v7.20
v7.21
v7.22
v7.23
v7.24
v7.25
v7.26
v7.27
v7.28
v7.29
v7.30
v7.31
v7.32
v7.33
v7.34
v7.35
v7.36
v7.37
v7.38
v7.39
v7.40
v7.41
v7.42
v7.43
v7.44
v7.45
v7.46
v7.47
v7.48
v7.49
v7.50
v7.51
v7.52
v7.53
v7.54
v7.55
v7.56
v7.57
v7.58
v7.59
v7.60
v7.61
v7.62
v7.63
v7.64
v7.65
v7.67
v7.68
v7.69
v7.70
v7.71
v7.72
v7.73
v7.74
v7.75
v7.76
v7.77
v7.78
v7.79
v7.80
v7.81
v7.82
v7.83
v7.84
v7.85
v7.86
v7.87
v7.88
v7.89
v7.90
v7.91
v7.92
v7.93
v7.95
v7.96
v7.97
v7.98
v7.99
v8.*
v8.00
v8.01
v8.02
v8.03
v8.04
v8.05
v8.06
v8.08
v8.09
v8.10
v8.11
v8.12
v8.14
v8.15
v8.16
v8.17
v8.18
v8.19
v8.20
v8.21
v8.22
v8.23
v8.24
v8.25
v8.26
v8.27
v8.28
v8.29
v8.30
v8.31
v8.32
v8.33
v8.34
v8.38
v8.39
v8.40
v8.43
v8.44
v8.45
v8.46
v8.47
v8.48
v8.49
v8.50
v8.51
v8.52
v8.53
v8.54
v8.55
v8.56
v8.57
v8.58
v8.59
v8.60
v8.61
v8.62
v8.63
v8.64
v8.65
v8.67
v8.68
v8.69
v8.70
v8.71
v8.72
v8.73
v8.74
v8.75
v8.76
v8.77
v8.78
v8.79
v8.80
v8.81
v8.82
v8.83
v8.84
v8.85
v8.86
v8.87
v8.88
v8.89
v8.90
v8.91
v8.92
v8.93
v8.94
v8.97
v8.98
v9.*
v9.00
v9.01
v9.02
v9.03
v9.04
v9.05
v9.06
v9.07
v9.08
v9.09
v9.10
v9.11
v9.12
v9.14
v9.15
v9.16
v9.17
v9.18
v9.19
v9.20
v9.21
v9.22
v9.23
v9.24
v9.25
v9.26
v9.27
v9.28
v9.29
v9.30
v9.31
v9.35
v9.36

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55234.json"