Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-52892

MEDIUM NVD
CVSS Score 6.5
Severity MEDIUM
Published Jul 15, 2026
Vendor unknown

Description

Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication.checkBoardWriteAccess for mutating custom-field routes. A read-only board member can call POST, PUT, and DELETE handlers for /api/boards/:boardId/custom-fields and custom-field dropdown items to create, update, or delete board custom fields. This issue is fixed in version 9.32.

References