Wekan
Open source kanban board application built with Meteor
Alternative to: trello
About
Versions (100)
v9.37
2026-06-11v9.37 2026-06-11 WeKan ® release
This release fixes the following CRITICAL SECURITY ISSUES of BoardBleed:
- Fixed BoardBleed:
Broken access control lets any authenticated user move their Cards/Lists/Swimlanes into
a private board they are not a member of (cross-board write via collection
allow rule)](https://github.com/wekan/wekan/security/advisories/GHSA-gm7v-pc38-53jr)
(CWE-284, CWE-639). WeKan boards are membership-scoped, but the DDP collection write
policies for Cards, Lists and Swimlanes (
server/permissions/cards.js,server/permissions/lists.js,server/permissions/swimlanes.js) authorized an update by checking only the CURRENT (pre-update)boardIdof the document — i.e. the attacker’s own source board — and never validated the NEWboardIdsupplied in the update modifier. Because every logged-in user can create a board where they are admin, an attacker could take a document they own and, in a single/cards/update,/lists/updateor/swimlanes/updateDDP call,$setitsboardId(plusswimlaneId/listId) to a victim’s private board: the allow rule saw the attacker’s own source board, approved the write, and the document was relocated into a board the attacker is not a member of and cannot even read. This let an unprivileged user inject arbitrary cards/lists/swimlanes (attacker-controlled titles, descriptions, assignees, etc.) into any private board by id, defeating board-level access control. The REST API for the same operation (PUT /api/boards/:boardId/lists/:listId/cards/:cardIdwithnewBoardId) was not affected because it correctly callsAuthentication.checkBoardWriteAccess(req.userId, newBoardId)on the destination board; only the DDP allow/deny layer was vulnerable. Fixed by adding adenyCrossBoardMovehelper inserver/lib/utils.jsand aCards.deny/Lists.deny/Swimlanes.denyupdaterule on each collection that rejects any update whose modifier$sets aboardIdon which the caller does not have write access, so a cross-board move is only allowed into a destination board where the user is an active write-capable member. Affected Wekan v9.35 and earlier. Thanks to 0xzap, xet7 and Claude.
and adds the following updates:
- Update release website script version numbering. Thanks to xet7 and Claude.
Thanks to above GitHub users for their contributions and translators for their translations.