{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-30843", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-05T21:06:44.607Z", "datePublished": "2026-03-06T19:30:38.396Z", "dateUpdated": "2026-03-09T20:34:20.437Z"}, "containers": {"cna": {"title": "Wekan has Cross-Board IDOR in Custom Fields Update Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "version": "4.0"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2026-044_Wekan/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2026-044_Wekan/"}, {"name": "https://github.com/wekan/wekan/commit/73eb98c57afd3d72377a1f7160a52450ab0eeb8b", "tags": ["x_refsource_MISC"], "url": "https://github.com/wekan/wekan/commit/73eb98c57afd3d72377a1f7160a52450ab0eeb8b"}, {"name": "https://github.com/wekan/wekan/releases/tag/v8.34", "tags": ["x_refsource_MISC"], "url": "https://github.com/wekan/wekan/releases/tag/v8.34"}], "affected": [{"vendor": "Wekan", "product": "Wekan", "versions": [{"version": ">= 8.32, < 8.34", "status": "affected"}]}, {"vendor": "Wekan", "product": "Wekan", "versions": [{"version": ">= 8.32, < 8.34", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T19:30:38.396Z"}, "descriptions": [{"lang": "en", "value": "Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data manipulation. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint in Wekan validates that the authenticated user has access to the specified boardId, but the subsequent database update uses only the custom field's _id as a filter without confirming the field actually belongs to that board. This means an attacker who owns any board can modify custom fields on any other board by supplying a foreign custom field ID, and the same flaw exists in the POST, PUT, and DELETE endpoints for dropdown items under custom fields. The required custom field IDs can be obtained by exporting a board (which only needs read access), since the exported JSON includes the IDs of all board components. The authorization check is performed against the wrong resource, allowing cross-board custom field manipulation. This issue has been fixed in version 8.34."}], "source": {"advisory": "GHSA-q7r8-6wqw-v9v7", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30843", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:26:51.142628Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:34:20.437Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-30843", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T20:26:51.142628Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T20:27:06.674Z"}}], "cna": {"title": "Wekan has Cross-Board IDOR in Custom Fields Update Endpoints", "source": {"advisory": "GHSA-q7r8-6wqw-v9v7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Wekan", "product": "Wekan", "versions": [{"status": "affected", "version": ">= 8.32, < 8.34"}]}, {"vendor": "Wekan", "product": "Wekan", "versions": [{"status": "affected", "version": ">= 8.32, < 8.34"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2026-044_Wekan/", "name": "https://securitylab.github.com/advisories/GHSL-2026-044_Wekan/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/wekan/wekan/commit/73eb98c57afd3d72377a1f7160a52450ab0eeb8b", "name": "https://github.com/wekan/wekan/commit/73eb98c57afd3d72377a1f7160a52450ab0eeb8b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/wekan/wekan/releases/tag/v8.34", "name": "https://github.com/wekan/wekan/releases/tag/v8.34", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data manipulation. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint in Wekan validates that the authenticated user has access to the specified boardId, but the subsequent database update uses only the custom field's _id as a filter without confirming the field actually belongs to that board. This means an attacker who owns any board can modify custom fields on any other board by supplying a foreign custom field ID, and the same flaw exists in the POST, PUT, and DELETE endpoints for dropdown items under custom fields. The required custom field IDs can be obtained by exporting a board (which only needs read access), since the exported JSON includes the IDs of all board components. The authorization check is performed against the wrong resource, allowing cross-board custom field manipulation. This issue has been fixed in version 8.34."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-06T19:30:38.396Z"}}}, "cveMetadata": {"cveId": "CVE-2026-30843", "state": "PUBLISHED", "dateUpdated": "2026-03-09T20:34:20.437Z", "dateReserved": "2026-03-05T21:06:44.607Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-06T19:30:38.396Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wekan_project:wekan:8.32:*:*:*:*:*:*:*", "matchCriteriaId": "49FD24D6-7487-4971-B679-E8CB7EF29A64", "vulnerable": true}, {"criteria": "cpe:2.3:a:wekan_project:wekan:8.33:*:*:*:*:*:*:*", "matchCriteriaId": "24B3EEBA-2A0C-4A5A-B07A-13219B4E03D8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data manipulation. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint in Wekan validates that the authenticated user has access to the specified boardId, but the subsequent database update uses only the custom field's _id as a filter without confirming the field actually belongs to that board. This means an attacker who owns any board can modify custom fields on any other board by supplying a foreign custom field ID, and the same flaw exists in the POST, PUT, and DELETE endpoints for dropdown items under custom fields. The required custom field IDs can be obtained by exporting a board (which only needs read access), since the exported JSON includes the IDs of all board components. The authorization check is performed against the wrong resource, allowing cross-board custom field manipulation. This issue has been fixed in version 8.34."}, {"lang": "es", "value": "Wekan es una herramienta kanban de c\u00f3digo abierto construida con Meteor. Las versiones 8.32 y 8.33 tienen un problema cr\u00edtico de Referencia Directa a Objeto Insegura (IDOR) que podr\u00eda permitir a usuarios no autorizados modificar campos personalizados entre tableros a trav\u00e9s de sus puntos finales de actualizaci\u00f3n de campos personalizados, lo que podr\u00eda llevar a la manipulaci\u00f3n no autorizada de datos. El punto final PUT /api/boards/:boardId/custom-fields/:customFieldId en Wekan valida que el usuario autenticado tiene acceso al boardId especificado, pero la subsiguiente actualizaci\u00f3n de la base de datos utiliza solo el _id del campo personalizado como filtro sin confirmar que el campo realmente pertenece a ese tablero. Esto significa que un atacante que posee cualquier tablero puede modificar campos personalizados en cualquier otro tablero al proporcionar un ID de campo personalizado externo, y la misma falla existe en los puntos finales POST, PUT y DELETE para elementos desplegables bajo campos personalizados. Los ID de campo personalizados requeridos se pueden obtener exportando un tablero (lo que solo necesita acceso de lectura), ya que el JSON exportado incluye los ID de todos los componentes del tablero. La verificaci\u00f3n de autorizaci\u00f3n se realiza contra el recurso incorrecto, permitiendo la manipulaci\u00f3n de campos personalizados entre tableros. Este problema ha sido solucionado en la versi\u00f3n 8.34."}], "id": "CVE-2026-30843", "lastModified": "2026-03-11T15:49:35.097", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2026-03-06T20:16:16.860", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/wekan/wekan/commit/73eb98c57afd3d72377a1f7160a52450ab0eeb8b"}, {"source": "[email protected]", "tags": ["Release Notes"], "url": "https://github.com/wekan/wekan/releases/tag/v8.34"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://securitylab.github.com/advisories/GHSL-2026-044_Wekan/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "[email protected]", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.32,8.34)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Wekan", "source": "cna", "vendor": "Wekan"}, "product": "wekan", "vendor": "wekan"}], "created": "2026-03-09T10:07:08.740005+00:00", "updated": "2026-03-09T10:07:08.740092+00:00", "vendors": ["wekan", "wekan$PRODUCT$wekan"]}