Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-52893— Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser hook

AI Predicted 9.8 Difficulty: Easy EPSS 0.30% · P22

Affected Version Matrix 1

VendorProductVersion RangeStatus
wekanwekan< 9.32affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-52893

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Wekan: OIDC Account Takeover via Unconditional Email-Based Account Merge in onCreateUser hook
Source: NVD (National Vulnerability Database)
Vulnerability Description
Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan Accounts.onCreateUser hook in server/models/users.js merges OIDC logins into existing accounts when the OIDC email or username matches an existing Wekan user, without verifying ownership or checking email_verified. An attacker using an OIDC provider account with a victim's email or username can cause Wekan to merge the attacker's OIDC credentials into the victim account and then log in as that account. This issue is fixed in version 9.32.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Wekan 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WeKan wekan是WeKan团队的协同项目管理平台。 Wekan 9.32之前版本存在授权问题漏洞,该漏洞源于在合并OIDC登录时未验证邮箱所有权或邮箱验证状态,导致攻击者使用受害者的邮箱或用户名进行合并后登录。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
wekanwekan < 9.32 -

II. Public POCs for CVE-2026-52893

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-52893

登录查看更多情报信息。

Patches & Fixes for CVE-2026-52893 (2)

Vendor Advisories for CVE-2026-52893 (1)

Same Patch Batch · wekan · 2026-07-15 · 10 CVEs total

CVE-2026-528919.9 CRITICALWekan: Shell Injection via Avatar Upload
CVE-2026-556529.8 CRITICALWekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unaut
CVE-2026-552348.5 HIGHWekan: Broken access control: any authenticated user can move their Cards/Lists/Swimlanes
CVE-2026-528907.1 HIGHWekan: Arbitrary file read and server DoS via attachment versions.original.path
CVE-2026-534476.5 MEDIUMWekan: `cloneBoard` Meteor method has no authorization check — any user can clone (read) a
CVE-2026-528926.5 MEDIUMWekan: Read-only board members can create/modify/delete Custom Fields (privilege escalatio
CVE-2026-53444Wekan: Missing authorization on OIDC Meteor methods allows privilege escalation to admin
CVE-2026-53445Wekan: Authorization bypass in copyBoard DDP method allows any user to copy private boards
CVE-2026-53446Wekan: Server-Side Request Forgery (SSRF) via webhook integration URLs

IV. Related Vulnerabilities

V. Comments for CVE-2026-52893

No comments yet


Leave a comment