Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-53445

Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
15/07/2026
Última modificación:
16/07/2026

Descripción

*** Pendiente de traducción *** Wekan is open source kanban built with Meteor. Prior to 9.32, the Wekan copyBoard Meteor DDP method in server/publications/boards.js copies a board by caller-supplied board ID without checking this.userId, membership, or admin access. Any authenticated user can copy a private board they are not a member of, including its cards, checklists, custom fields, labels, and rules, while the REST POST /api/boards/:boardId/copy path correctly checks board admin access. This issue is fixed in version 9.32.