Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-52892— Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalation via read-level authz on write ops)

CVSS 6.5 · Medium EPSS 0.26% · P17

Possible ATT&CK Techniques 1AI

T1078 · Valid Accounts

Affected Version Matrix 1

VendorProductVersion RangeStatus
wekanwekan< 9.32affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-52892

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Wekan: Read-only board members can create/modify/delete Custom Fields (privilege escalation via read-level authz on write ops)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Wekan is open source kanban built with Meteor. Prior to 9.32, Wekan REST handlers in server/models/customFields.js use read-level Authentication.checkBoardAccess instead of write-level Authentication.checkBoardWriteAccess for mutating custom-field routes. A read-only board member can call POST, PUT, and DELETE handlers for /api/boards/:boardId/custom-fields and custom-field dropdown items to create, update, or delete board custom fields. This issue is fixed in version 9.32.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
wekanwekan < 9.32 -

II. Public POCs for CVE-2026-52892

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-52892

登录查看更多情报信息。

Patches & Fixes for CVE-2026-52892 (2)

Vendor Advisories for CVE-2026-52892 (1)

Same Patch Batch · wekan · 2026-07-15 · 10 CVEs total

CVE-2026-528919.9 CRITICALWekan: Shell Injection via Avatar Upload
CVE-2026-556529.8 CRITICALWekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unaut
CVE-2026-552348.5 HIGHWekan: Broken access control: any authenticated user can move their Cards/Lists/Swimlanes
CVE-2026-528907.1 HIGHWekan: Arbitrary file read and server DoS via attachment versions.original.path
CVE-2026-534476.5 MEDIUMWekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) a
CVE-2026-53444Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin
CVE-2026-53445Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards
CVE-2026-53446Wekan: Server-Side Request Forgery (SSRF) via webhook integration URLs
CVE-2026-52893Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser h

IV. Related Vulnerabilities

V. Comments for CVE-2026-52892

No comments yet


Leave a comment