Wekan logo

Wekan

Open source kanban board application built with Meteor

Alternative to: trello


About Versions (100)

v9.37

2026-06-11

v9.37 2026-06-11 WeKan ® release

This release fixes the following CRITICAL SECURITY ISSUES of BoardBleed:

  • Fixed BoardBleed: Broken access control lets any authenticated user move their Cards/Lists/Swimlanes into a private board they are not a member of (cross-board write via collection allow rule)](https://github.com/wekan/wekan/security/advisories/GHSA-gm7v-pc38-53jr) (CWE-284, CWE-639). WeKan boards are membership-scoped, but the DDP collection write policies for Cards, Lists and Swimlanes (server/permissions/cards.js, server/permissions/lists.js, server/permissions/swimlanes.js) authorized an update by checking only the CURRENT (pre-update) boardId of the document — i.e. the attacker’s own source board — and never validated the NEW boardId supplied in the update modifier. Because every logged-in user can create a board where they are admin, an attacker could take a document they own and, in a single /cards/update, /lists/update or /swimlanes/update DDP call, $set its boardId (plus swimlaneId/listId) to a victim’s private board: the allow rule saw the attacker’s own source board, approved the write, and the document was relocated into a board the attacker is not a member of and cannot even read. This let an unprivileged user inject arbitrary cards/lists/swimlanes (attacker-controlled titles, descriptions, assignees, etc.) into any private board by id, defeating board-level access control. The REST API for the same operation (PUT /api/boards/:boardId/lists/:listId/cards/:cardId with newBoardId) was not affected because it correctly calls Authentication.checkBoardWriteAccess(req.userId, newBoardId) on the destination board; only the DDP allow/deny layer was vulnerable. Fixed by adding a denyCrossBoardMove helper in server/lib/utils.js and a Cards.deny/Lists.deny/ Swimlanes.deny update rule on each collection that rejects any update whose modifier $sets a boardId on which the caller does not have write access, so a cross-board move is only allowed into a destination board where the user is an active write-capable member. Affected Wekan v9.35 and earlier. Thanks to 0xzap, xet7 and Claude.

and adds the following updates:

Thanks to above GitHub users for their contributions and translators for their translations.