{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T13:42:09.806","vulnerabilities":[{"cve":{"id":"CVE-2026-30843","sourceIdentifier":"security-advisories@github.com","published":"2026-03-06T20:16:16.860","lastModified":"2026-03-11T15:49:35.097","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference (IDOR) issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data manipulation. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint in Wekan validates that the authenticated user has access to the specified boardId, but the subsequent database update uses only the custom field's _id as a filter without confirming the field actually belongs to that board. This means an attacker who owns any board can modify custom fields on any other board by supplying a foreign custom field ID, and the same flaw exists in the POST, PUT, and DELETE endpoints for dropdown items under custom fields. The required custom field IDs can be obtained by exporting a board (which only needs read access), since the exported JSON includes the IDs of all board components. The authorization check is performed against the wrong resource, allowing cross-board custom field manipulation. This issue has been fixed in version 8.34."},{"lang":"es","value":"Wekan es una herramienta kanban de código abierto construida con Meteor. Las versiones 8.32 y 8.33 tienen un problema crítico de Referencia Directa a Objeto Insegura (IDOR) que podría permitir a usuarios no autorizados modificar campos personalizados entre tableros a través de sus puntos finales de actualización de campos personalizados, lo que podría llevar a la manipulación no autorizada de datos. El punto final PUT /api/boards/:boardId/custom-fields/:customFieldId en Wekan valida que el usuario autenticado tiene acceso al boardId especificado, pero la subsiguiente actualización de la base de datos utiliza solo el _id del campo personalizado como filtro sin confirmar que el campo realmente pertenece a ese tablero. Esto significa que un atacante que posee cualquier tablero puede modificar campos personalizados en cualquier otro tablero al proporcionar un ID de campo personalizado externo, y la misma falla existe en los puntos finales POST, PUT y DELETE para elementos desplegables bajo campos personalizados. Los ID de campo personalizados requeridos se pueden obtener exportando un tablero (lo que solo necesita acceso de lectura), ya que el JSON exportado incluye los ID de todos los componentes del tablero. La verificación de autorización se realiza contra el recurso incorrecto, permitiendo la manipulación de campos personalizados entre tableros. Este problema ha sido solucionado en la versión 8.34."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"HIGH","subIntegrityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wekan_project:wekan:8.32:*:*:*:*:*:*:*","matchCriteriaId":"49FD24D6-7487-4971-B679-E8CB7EF29A64"},{"vulnerable":true,"criteria":"cpe:2.3:a:wekan_project:wekan:8.33:*:*:*:*:*:*:*","matchCriteriaId":"24B3EEBA-2A0C-4A5A-B07A-13219B4E03D8"}]}]}],"references":[{"url":"https://github.com/wekan/wekan/commit/73eb98c57afd3d72377a1f7160a52450ab0eeb8b","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/wekan/wekan/releases/tag/v8.34","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://securitylab.github.com/advisories/GHSL-2026-044_Wekan/","source":"security-advisories@github.com","tags":["Third Party Advisory"]}]}}]}