Wekan
Open source kanban board application built with Meteor
Alternative to: trello
v9.46
2026-06-15v9.46 2026-06-15 WeKan ® release
This release fixes the following CRITICAL SECURITY ISSUES of ProxyBleed:
- Fixed ProxyBleed: Header-login IP allowlist bypass via X-Forwarded-For spoofing allows
unauthenticated full account takeover (incl. admin)
(GHSA-jggc-qvfc-jr6x, CWE-290 Authentication Bypass by Spoofing, CWE-348 Use of Less Trusted Source). WeKan’s
header-login (reverse-proxy SSO) feature gates passwordless login on a source-IP allowlist
(
HEADER_LOGIN_TRUSTED_IPS), butgetRequestIp()inserver/lib/headerLoginAuth.jsderived the source IP from the client-suppliedX-Forwarded-Forrequest header (its left-most hop), falling back to the real TCP socket peer only when that header was absent. BecauseX-Forwarded-Foris fully attacker-controlled, an unauthenticated attacker who can reach the app port directly (a second ingress, a published container port, a k8s NodePort, SSRF — i.e. any path that does not traverse the trusted reverse proxy) could send a single GET request withX-Forwarded-For: <an-allowlisted-ip>plus the username header (e.g.X-Auth-User: admin) and be minted a full passwordless login session (meteor_login_token) for any existing user, includingadmin— complete account takeover and admin impersonation, with no password, token or shared secret. An empty or unset allowlist additionally failed OPEN (it trusted every source). The minted session is a real, persisted resume token that also authenticates the REST API as the spoofed user. Fixed by deriving the source IP from the real TCP socket peer (req.socket.remoteAddress/req.connection.remoteAddress, normalizing IPv4-mapped IPv6) and never fromX-Forwarded-For, and by making an empty/unsetHEADER_LOGIN_TRUSTED_IPSfail CLOSED so header-login authenticates no one until the trusted reverse-proxy IP(s) are configured (a startup warning is logged in that case). The samefindOrCreateHeaderLoginUser/isTrustedHeaderLoginSourcehelpers back the attachment API, so that path is fixed by the same change. OPERATOR ACTION REQUIRED: if you use header-login you must setHEADER_LOGIN_TRUSTED_IPSto your reverse proxy’s IP address(es) — after this change an unset allowlist disables header-login instead of trusting everyone, and the source IP compared against the allowlist is now the real proxy connection, not a forgeable header. For multi-hop proxy deployments an OPT-INHEADER_LOGIN_TRUSTED_PROXIESlist was added:X-Forwarded-Foris honored only when the immediate TCP peer is one of those explicitly trusted proxies, and then only the right-most hop that is not itself a trusted proxy (the real client) is matched againstHEADER_LOGIN_TRUSTED_IPS— a direct attacker’s forged header is still ignored. Covered by regression tests (server/lib/tests/proxybleed.security.tests.jsandserver/lib/tests/headerLoginAuth.tests.js), documented in Header-Login, and the new env vars were added todocker-compose.yml,start-wekan.sh,start-wekan.bat,Dockerfile,.devcontainer/Dockerfile,releases/virtualbox/start-wekan.shand the Snap config. Affected Wekan v9.44 and earlier. Thanks to rz1027, xet7 and Claude.
and adds the following updates:
- Improved accessibility across all pages following WCAG 2.1 AA guidelines:
- Added a visible keyboard focus indicator (
:focus-visibleoutline) for links, buttons and form controls. The global CSS reset previously stripped all focus outlines, leaving keyboard users with no indication of focus (WCAG 2.4.7). - Added a “Skip to main content” link that lets keyboard and screen-reader users bypass the header chrome (WCAG 2.4.1 Bypass Blocks).
- Added landmark roles so assistive technology can navigate page regions:
role="main"on the content area,role="navigation"on the header quick-access bar, androle="search"on the global search form (WCAG 1.3.1). - Marked modals and popups as
role="dialog"with accessible names, setaria-modal="true"on modals, and moved keyboard focus into a modal when it opens and back to the triggering element when it closes (WCAG 2.4.3 Focus Order). - Added accessible names (
aria-label) to icon-only controls that previously had none: modal/popup close and back buttons, the announcement close button, the sidebar close/back buttons and the global search input and clear button (WCAG 4.1.2 Name, Role, Value). - Marked decorative Font Awesome icons inside labelled controls as
aria-hidden="true"so they are not announced redundantly. - Added a screen-reader-only
.sr-onlyhelper class.
- Added a visible keyboard focus indicator (
- Reorganized and updated the documentation:
- Fixed 14 broken relative links in
docs/README.md(verified with a link check). - Split the monolithic
docs/Features/Features.mdinto focused topic pages underdocs/Features/subdirectories: Boards, Lists, Cards, Members, Keyboard Shortcuts, Admin Panel, WIP Limits, Cleanup and Stats;Features.mdis now an index linking to them, anddocs/README.mdlinks the new pages. - Added documentation for previously-undocumented features: Right-to-Left (RTL) UI, Stickers, Card Locations, Board Background Images, Attachments and File Storage, the card “complete” checkbox, and a new Accessibility feature page (covering both the Admin Panel / Settings / Accessibility info page and the built-in accessibility features above).
- Updated outdated information based on the CHANGELOG: the Meteor/Node versions (now Meteor 3.x / Node.js 24.x) and the obsolete feature wishlist (Custom Fields, Subtasks, Swimlanes, Gantt, WIP limits, voting and templates are now implemented).
- Fixed 14 broken relative links in
and adds the following new features:
- Added an accessibility end-to-end test suite that checks the page language, skip link, landmark roles, visible focus, dialog roles, accessible names on icon controls, and the absence of duplicate element ids.
- Greatly expanded board automation Rules:
- The Rules page is now a fullscreen page below the top bar (board sidebar →
Rules), instead of a cramped popup. It has its own route
/b/:id/:slug/rules. - Scheduled rules: run rules on a schedule (once on a date, or every day / weekday / week / month at a chosen time), on due dates (set / approaching / overdue), or by card aging (“a card has been in a list for N days”). A SyncedCron job evaluates these every minute. This makes processes such as “archive cards that have been in the Completed column for 90 days” work out of the box.
- These long-standing automation feature requests are implemented by the above rules work and can be closed: Fixes #1160, Fixes #2476, Fixes #4372, Fixes #5775, Fixes #5825 — IFTTT-style rules including recurring cards (#1160), Trello-Butler- like Scheduled Rules (#2476), rules that set a due date 1 day/week/month ahead via the “set a date relative to now (+N days)” action (#4372), and automated recurring cards/tasks on a daily/weekday/weekly/monthly schedule from the GUI (#5775, #5825).
- More Trello-Butler-style automations: card buttons (shown on the card) and board buttons (shown in the board header) that run an action on demand, and new actions — sort a list (by due/name/created/modified), move all cards in a list, mark card complete/incomplete, and set a date relative to now.
- Manage rules: select all / unselect all, delete selected, edit (rename), and
a drag-and-drop visual Workflow editor (Jira-like): drag a trigger and an
action into a
When … → Then …builder to create a rule, drag an action onto an existing rule to change it, and delete rules from the graph. - Import / Export rules to JSON (lossless) and CSV (round-trippable); export only the selected rules; a best-effort importer for Trello Butler commands (Trello board exports do not contain Butler rules, so they are pasted in and the supported subset is mapped, with unmapped lines reported).
- Import visual workflows from n8n and Node-RED (best-effort: the workflow graph’s trigger→action edges are mapped to WeKan rules, unmapped nodes reported), with an Import target selector to choose which personal workspace and board the imported rules go into (applies to all importers in the dialog).
- The Rules page is now a fullscreen page below the top bar (board sidebar →
Rules), instead of a cramped popup. It has its own route
- Added a whole-board import REST API (
POST /api/boards/import) that recreates a board — including its rules/triggers/actions (workflows) and other data — from a WeKan board export. With the existing export endpoint this enables migrating all boards + workflows + rules from another WeKan over the API;api.pyaddsimportboardandmigratefromwekan REMOTE_URL REMOTE_USER REMOTE_PASS. The remote fetch is done client-side, so the server never fetches arbitrary URLs. Covered by an e2e test (export a board with a rule → import it → assert the rule, trigger and action are recreated on the new board) intests/playwright/specs/23-rest-api-more.e2e.js.- Rules REST API to add/edit/remove/list rules
(
/api/boards/:boardId/rules), documented in the OpenAPI docs andapi.py(addrule/editrule/removerule/listrules/getrule). - Added a Rules e2e test suite (
tests/playwright/specs/20-rules.e2e.js, covering the fullscreen page, creating event rules, import/export, selecting rules, the workflow view and board buttons) and docs (Features/Rules, updated IFTTT page).
- Rules REST API to add/edit/remove/list rules
(
- Added Jira import (“All Boards → New → Import → From Jira”): import boards from
a Jira Cloud REST issue-search JSON, similar to the Trello importer. Jira statuses
become lists, issues become cards (with labels, due dates and assignees mapped),
and an optional
automationRulesarray is imported as WeKan rules. - Import from WeKan, Trello and Jira can now be done with or without mapping
members: an “Import without mapping members (map later)” button skips the member
mapping step and imports immediately, so members can be mapped afterwards. Covered
by
tests/playwright/specs/21-import-without-mapping.e2e.js. - Rounded out board import/export menus:
- Excel (.xlsx) board import (“All Boards → New → Import → From Excel”): the
spreadsheet is parsed on the server (exceljs) into rows and imported through the
CSV creator, so boards can round-trip through
.xlsx(the matching Excel export already existed). - Board PDF export (“Board Settings → Export → Export board to PDF”, and
GET /api/boards/:boardId/exportPDF): exports the board title, lists and cards to a PDF (reusing the card PDF builder). Addedapi.py exportboardpdf. - Kanboard import and export: “From Kanboard” in the import menu (columns →
lists, tasks → cards, tags → labels) and “Export board to Kanboard JSON” in the
export menu (
GET /api/boards/:boardId/export/kanboard), which round-trips with the importer. - Import and export to/from NextCloud Deck, OpenProject, GitHub, GitLab, Gitea
and Forgejo. Implemented generically: each tool has a small parser that
normalizes its export/API JSON to a common shape (reusing one import engine) and
a formatter that emits the tool’s JSON (reusing one export collector). Added to
the import and export menus, with a generalized REST API
(
POST /api/boards/import/:source,GET /api/boards/:boardId/export/:format) andapi.pyhelpers (importboardfrom,exportboardformat) so all boards can be migrated in bulk. Issue trackers (GitHub/GitLab/Gitea/Forgejo) map issues to cards grouped into Open/Closed lists; Deck stacks and OpenProject statuses become lists. Documented in External-Tools. - Asana and ZenKit are now fully built-in (import + export menus, REST
API and
api.py— no external script needed). - Together with the existing CSV/Excel import+export and the card PDF export, this completes CSV / Excel / PDF import & export. Fixes #395.
- Covered by
tests/playwright/specs/25-excel-pdf.e2e.js(Excel import + board PDF export). Documented in Excel-and-VBA and Kanboard.
- Excel (.xlsx) board import (“All Boards → New → Import → From Excel”): the
spreadsheet is parsed on the server (exceljs) into rows and imported through the
CSV creator, so boards can round-trip through
- Extended the REST API so the newer card features are scriptable: the card edit
endpoint (
PUT /api/boards/:boardId/lists/:listId/cards/:cardId) now acceptsstickers,locationsanddueComplete(the complete checkbox), documented withapi.pyexamples (setcardstickers/setcardlocations/setcardcomplete). - Added e2e tests for previously-untested documented features
(
tests/playwright/specs/22-card-features.e2e.js): stickers, card locations, the complete checkbox and WIP limits. - Expanded REST API test coverage (
tests/playwright/specs/23-rest-api-more.e2e.js): the Rules API (create/list/get/edit/delete), the new cardstickers/locations/dueCompletefields, and core CRUD for swimlanes, lists, custom fields, checklists + items and comments. - Added a board background image upload/download API (the background counterpart
of the card-attachment upload API):
POST /api/attachment/upload-backgroundandGET /api/attachment/download-background/:boardId(plus the DDP methodsapi.board.uploadBackground/api.board.downloadBackground). Uploads use the current Admin Panel / Attachments / Default Storage backend and set the image as the board’s active background (board-admin gated). Documented in the OpenAPI docs andapi.py(uploadbackground/downloadbackground). - Added Trello-Butler-style rule variables —
{cardname},{cardnumber},{listname},{boardname},{duedate},{username},{date}/{time}/{datetime}, etc. — substituted in rule action text (email subject/body, created card/checklist/swimlane names). Fixes #2475. - Added visual card aging: when enabled per board (board settings → “Card
aging”), cards that have not been touched for a while are progressively faded based
on their last activity, Trello-style. The three fade-tier day thresholds are
board-configurable (default 7 / 14 / 28 days). Toggleable and configurable in the
board settings and over the card-settings REST API
(
cardAging,cardAgingDays1/2/3). Fixes #3984. - Added accessible reordering without drag-and-drop: visually hidden, keyboard-focusable “Move card up/down” buttons on minicards and “Move list left/right” buttons on list headers, for screen-reader and keyboard users. Fixes #459.
- The board’s background image is now also shown as the board tile background on the All Boards list page (reusing the existing board background, with a dark overlay for readability). Fixes #5157.
and fixes the following bugs:
-
Fixed rules that send an email crashing with
TAPi18n is not defined(TAPi18nwas not imported inserver/rulesHelper.js). Fixes #5822. -
Fixed the WIP limit counting only the currently visible cards when a filter is active, which let lists exceed their hard WIP limit; it now counts all cards in the list. Fixes #2095.
-
Fixed deleting a board leaving orphaned rule Actions in the database (Rules and Triggers were removed but Actions were not). Fixes #4266.
-
Fixed the “check all / uncheck all / (un)check item” rule actions crashing with “Cannot read property ‘uncheckAllItems’ of undefined” when the named checklist or item does not exist on the card; they now no-op safely. Fixes #5283.
-
Added e2e tests for the above features and fixes in
tests/playwright/specs/24-feature-issues.e2e.js(accessible card/list reordering, visual card aging with default and configurable thresholds, board-delete rule cleanup, and the board background on the All Boards tile). -
Fixed duplicate
id="header"attributes rendered inside loops on the My Cards page, which produced invalid HTML and broke assistive-technology navigation (WCAG 4.1.1). -
Fixed the My Cards table markup: header cells (
<th>) are now wrapped in a<tr>withscope="col", and a caption was added, so the table is announced correctly. -
Added missing
alttext to the user avatar image (the surrounding link already carries the accessible name). -
Fixed several bugs in the new features above that were surfaced by running the full test suite (
./rebuild-wekan.sh→ “Run ALL tests”), so the Playwright suite is green again:- Board JSON export returned empty lists, swimlanes and rules. A previous fix
that made attachment export use
meta.boardIdaccidentally applied the same selector to lists/swimlanes/rules, which store a flatboardId, so those came back empty — and the whole-board import API then had nothing to recreate. Attachments now use their own selector. (models/exporter.js) - Export, PDF export and board-delete REST endpoints required a global site
admin (
Authentication.checkUserId) instead of board-level access, so a board owner using their own API token got403/empty responses and board deletion silently did nothing (its rule/trigger/action cleanup never ran). They now require only a logged-in user and rely on the existing per-boardcanExport/ board-admin checks. (models/export.js,models/exportPDF.js,server/models/boards.js) - Rules did not appear on the fullscreen Rules page. The
boardRulespublication passed the user id string toBoard.isVisibleBy(), which expects a user object, so a board’s rules/triggers/actions were never published. (server/publications/rules.js) - Card edit and checklist REST endpoints returned
500.PUT /api/boards/:boardId/lists/:listId/cards/:cardIdwithlocationsstored entries without the schema-required_id(and without numeric coordinates), and the checklistPOSTreferenced a permission helper it never imported. (server/models/cards.js,server/models/checklists.js) - Excel/CSV import crashed on spreadsheets without date columns (it read
.lengthof a missing cell); date columns are now treated as optional. (models/csvCreator.js) - Importing a board whose export carried a non-WeKan board color aborted with a
400. A WeKan/Trello export can containcolor: "bgnone", which is not an allowed board color, so collection2 rejected the board insert and the import never navigated to the new board. The imported color now falls back to the default when it is not a recognized WeKan color. The post-import username bookkeeping was also hardened to only record usernames on users that actually exist. (models/wekanCreator.js) - Accessible “move card up/down” and “move list left/right” buttons did nothing.
The buttons are visually hidden with an
.sr-onlycontainer that clips them to a 1px box (clip: rect(0,0,0,0)), so a click resolved (via hit-testing) to the element behind them and the Blaze handler never fired. They are now kept in normal flow and hit-testable while still visually hidden (a transparent, focusable control), so the reorder handlers actually run. (client/components/main/layouts.css) - Board/card automation buttons never rendered. The board-button/card-button
helpers joined a published rule to its
triggersdocument to read the button type/label, but the schemalesstriggerscollection’s documents do not reach the client over the board subscription in this Meteor 3 setup, so the lookup found nothing. The button type/label are now denormalised onto the (schema-backed, reliably-published) rule document by a new board-admin-gatedrules.createRuleserver method, and the header/card read them straight from the rule. (server/rulesButton.js,models/rules.js,client/components/rules/actions/boardActions.js,client/components/rules/boardButtons.js,client/components/rules/cardButtons.js) - Hardened several tests that were checking the wrong state rather than a real product
bug: the accessibility test now polls for the
<html lang>attribute (set by client JS on startup) instead of reading it once before the page settles; the board-background tile test selects the “Remaining” boards menu where the unstarred seeded board appears; and the list-menu helper and a few card/list reads now poll/retry through a transient, pre-existing “Board not found” re-render that can briefly tear down the board view while its subscription settles. Thanks to xet7 and Claude.
- Board JSON export returned empty lists, swimlanes and rules. A previous fix
that made attachment export use
Known issues / possible later fixes (not addressed in this release):
- Transient “Board not found” flicker on an open board. While a board’s
subscription re-settles, the reactive board read (
Utils.getCurrentBoard()→ReactiveCache.getBoard→ the memoizingDataCache) can momentarily returnundefinedwhile the subscription is stillready(), soclient/components/ boards/boardBody.jadebriefly showsboard-not-foundand tears down the lists/ cards before the board re-renders. Real users on slow/reconnecting links can see a flash and lose scroll/popup state. The test suite was made resilient to it, but the underlying flicker is unfixed. A safe fix needs care because the obvious options have trade-offs: a “was-ever-present” latch in the board template would replace the flash with a spinner but still unmount the lists; makinggetCurrentBoard()sticky would keep the board mounted but return a stale board after a genuine delete/archive (global behavior change); and hardeningDataCache(not storing a transientundefinedover a present value) risks masking legitimate removals across every reactive read. Same root cause as the board/card automation-button flicker fixed above (worked around there by reading Minimongo directly). DataCache60s teardown timeout (imports/lib/dataCache.js) callsstop()/del()without re-checkinghasDependents()in the timeout callback; adding that re-check is a small, independent hardening that would also reduce the flicker above.- Export auth-failure responses are malformed. On the not-logged-in path the
export endpoints still call
sendJsonResult(res, error.statusCode || 403)with a bare number, which yields HTTP 200 with an empty body instead of the intended status. Should pass{ code, data }. (models/export.js,models/exportPDF.js) - Board REST handlers mask errors as success. The board create/delete handlers
catchand returncode: 200with the error as data (server/models/boards.js); only the delete handler’s auth was corrected here. They should report the real status code. - Importer color hardening. Only the board color is sanitized against
out-of-range values; swimlane/list/card importers could likewise reject an
unrecognized
colorfrom a foreign export and should get the sameallowed.includes(...) ? ... : defaultguard. (models/wekanCreator.js,models/csvCreator.js)
Thanks to above GitHub users for their contributions and translators for their translations.