{"api_version":"1","generated_at":"2026-07-11T00:44:42+00:00","cve":"CVE-2026-59154","urls":{"html":"https://cve.report/CVE-2026-59154","api":"https://cve.report/api/cve/CVE-2026-59154.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-59154","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-59154"},"summary":{"title":"Wekan: Checklist direct DDP updates can write checklist data into private boards","description":"Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-10 17:17:02","updated_at":"2026-07-10 21:17:00"},"problem_types":["CWE-863","CWE-863 CWE-863: Incorrect Authorization"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/wekan/wekan/commit/b1ca76007b9a295fd029dfefc1a2d1d6f1920835","name":"https://github.com/wekan/wekan/commit/b1ca76007b9a295fd029dfefc1a2d1d6f1920835","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/wekan/wekan/releases/tag/v9.64","name":"https://github.com/wekan/wekan/releases/tag/v9.64","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/wekan/wekan/security/advisories/GHSA-gv8h-5p3p-6hx7","name":"https://github.com/wekan/wekan/security/advisories/GHSA-gv8h-5p3p-6hx7","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-59154","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-59154","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"wekan","product":"wekan","version":"affected < 9.64","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-59154","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-10T20:46:26.086286Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-10T20:59:04.865Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"wekan","vendor":"wekan","versions":[{"status":"affected","version":"< 9.64"}]}],"descriptions":[{"lang":"en","value":"Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":4.3,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-863","description":"CWE-863: Incorrect Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-10T15:45:20.012Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/wekan/wekan/security/advisories/GHSA-gv8h-5p3p-6hx7","tags":["x_refsource_CONFIRM"],"url":"https://github.com/wekan/wekan/security/advisories/GHSA-gv8h-5p3p-6hx7"},{"name":"https://github.com/wekan/wekan/commit/b1ca76007b9a295fd029dfefc1a2d1d6f1920835","tags":["x_refsource_MISC"],"url":"https://github.com/wekan/wekan/commit/b1ca76007b9a295fd029dfefc1a2d1d6f1920835"},{"name":"https://github.com/wekan/wekan/releases/tag/v9.64","tags":["x_refsource_MISC"],"url":"https://github.com/wekan/wekan/releases/tag/v9.64"}],"source":{"advisory":"GHSA-gv8h-5p3p-6hx7","discovery":"UNKNOWN"},"title":"Wekan: Checklist direct DDP updates can write checklist data into private boards"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-59154","datePublished":"2026-07-10T15:45:20.012Z","dateReserved":"2026-07-02T16:50:27.886Z","dateUpdated":"2026-07-10T20:59:04.865Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-10 17:17:02","lastModifiedDate":"2026-07-10 21:17:00","problem_types":["CWE-863","CWE-863 CWE-863: Incorrect Authorization"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-10T20:46:26.086286Z","id":"CVE-2026-59154","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"59154","Ordinal":"1","Title":"Wekan: Checklist direct DDP updates can write checklist data int","CVE":"CVE-2026-59154","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"59154","Ordinal":"1","NoteData":"Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination cardId or boardId in the update modifier, allowing a low-privileged authenticated user with write access to one board and knowledge of a target private card id to create checklist data on an accessible card and move it into a private board where they are not a member. This issue is fixed in version 9.64.","Type":"Description","Title":"Wekan: Checklist direct DDP updates can write checklist data int"}]}}}