Description
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data manipulation. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint in Wekan validates that the authenticated user has access to the specified boardId, but the subsequent database update uses only the custom field's _id as a filter without confirming the field actually belongs to that board. This means an attacker who owns any board can modify custom fields on any other board by supplying a foreign custom field ID, and the same flaw exists in the POST, PUT, and DELETE endpoints for dropdown items under custom fields. The required custom field IDs can be obtained by exporting a board (which only needs read access), since the exported JSON includes the IDs of all board components. The authorization check is performed against the wrong resource, allowing cross-board custom field manipulation. This issue has been fixed in version 8.34.
Published: 2026-03-06
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of custom fields across boards through an IDOR flaw
Action: Immediate Patch
AI Analysis

Impact

An insecure direct object reference in Wekan’s custom‑field update endpoints allows an authenticated user to alter fields on boards they do not own. The flaw occurs because the API verifies board membership before the database update, but the update step filters only by the custom field ID, not by the board it belongs to. Consequently, a malicious user can supply the ID of any custom field on another board and change its values or delete it, leading to unauthorized data manipulation. The vulnerability is classified as CWE‑639.

Affected Systems

Wekan, identical to the open‑source project name. Versions 8.32 and 8.33 are affected. The issue has been fixed in version 8.34 and later.

Risk and Exploitability

The vulnerability has a CVSS score of 9.3, indicating high severity. However, the EPSS score is below 1%, suggesting that exploitation attempts are expected to be rare. The flaw is not listed as a Known Exploited Vulnerability in CISA’s KEV catalog. Attackers need only a legitimate account with access to any board to abuse the flaw; they can then obtain other boards’ custom field IDs by exporting a board that they have read access to. With those IDs, the attacker can construct requests to the PUT, POST, or DELETE custom‑field endpoints and manipulate data on arbitrary boards.

Generated by OpenCVE AI on April 17, 2026 at 12:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Wekan version 8.34 or later which contains the patch for the IDOR issue.
  • Limit the export of board data to trusted users or remove custom field IDs from exported payloads to reduce exposure of sensitive identifiers.
  • Modify the API implementation to validate that the custom field ID belongs to the target board before performing any update, creation, or deletion.

Generated by OpenCVE AI on April 17, 2026 at 12:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
CPEs cpe:2.3:a:wekan_project:wekan:8.32:*:*:*:*:*:*:*
cpe:2.3:a:wekan_project:wekan:8.33:*:*:*:*:*:*:*
Vendors & Products Wekan Project
Wekan Project wekan
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Mon, 09 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wekan
Wekan wekan
Vendors & Products Wekan
Wekan wekan

Fri, 06 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data manipulation. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint in Wekan validates that the authenticated user has access to the specified boardId, but the subsequent database update uses only the custom field's _id as a filter without confirming the field actually belongs to that board. This means an attacker who owns any board can modify custom fields on any other board by supplying a foreign custom field ID, and the same flaw exists in the POST, PUT, and DELETE endpoints for dropdown items under custom fields. The required custom field IDs can be obtained by exporting a board (which only needs read access), since the exported JSON includes the IDs of all board components. The authorization check is performed against the wrong resource, allowing cross-board custom field manipulation. This issue has been fixed in version 8.34.
Title Wekan has Cross-Board IDOR in Custom Fields Update Endpoints
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N'}

Subscriptions

Wekan Wekan
Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T20:34:20.437Z

Reserved: 2026-03-05T21:06:44.607Z

Link: CVE-2026-30843

cve-icon Vulnrichment

Updated: 2026-03-09T20:27:06.674Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T20:16:16.860

Modified: 2026-03-11T15:49:35.097

Link: CVE-2026-30843

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses