This release includes 1 security fix for security teams reviewing exposed deployments.
Topics
+2 more
Affected surfaces
ReleasePort's take
Moderate signalVersion v9.37 fixes the BoardBleed vulnerability that permitted unauthorized cross‑board writes of cards, lists, and swimlanes.
Why it matters: The fix addresses a severity‑95 access control flaw enabling unauthorized card/list/swimlane moves into private boards; all deployments should upgrade immediately.
Summary
AI summaryFixed critical BoardBleed access control vulnerability allowing cross‑board write without permission.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Critical |
Fixes BoardBleed cross‑board write vulnerability allowing unauthorized card/list/swimlane moves into private boards. Fixes BoardBleed cross‑board write vulnerability allowing unauthorized card/list/swimlane moves into private boards. Source: llm_adapter@2026-06-11 Confidence: high |
— |
Full changelog
v9.37 2026-06-11 WeKan ® release
This release fixes the following CRITICAL SECURITY ISSUES of BoardBleed:
- Fixed BoardBleed:
Broken access control lets any authenticated user move their Cards/Lists/Swimlanes into
a private board they are not a member of (cross-board write via collection
allow rule)](https://github.com/wekan/wekan/security/advisories/GHSA-gm7v-pc38-53jr)
(CWE-284, CWE-639). WeKan boards are membership-scoped, but the DDP collection write
policies for Cards, Lists and Swimlanes (server/permissions/cards.js,
server/permissions/lists.js,server/permissions/swimlanes.js) authorized an update by
checking only the CURRENT (pre-update)boardIdof the document — i.e. the attacker's own
source board — and never validated the NEWboardIdsupplied in the update modifier.
Because every logged-in user can create a board where they are admin, an attacker could take
a document they own and, in a single/cards/update,/lists/updateor/swimlanes/update
DDP call,$setitsboardId(plusswimlaneId/listId) to a victim's private board: the
allow rule saw the attacker's own source board, approved the write, and the document was
relocated into a board the attacker is not a member of and cannot even read. This let an
unprivileged user inject arbitrary cards/lists/swimlanes (attacker-controlled titles,
descriptions, assignees, etc.) into any private board by id, defeating board-level access
control. The REST API for the same operation
(PUT /api/boards/:boardId/lists/:listId/cards/:cardIdwithnewBoardId) was not affected
because it correctly callsAuthentication.checkBoardWriteAccess(req.userId, newBoardId)on
the destination board; only the DDP allow/deny layer was vulnerable. Fixed by adding a
denyCrossBoardMovehelper inserver/lib/utils.jsand aCards.deny/Lists.deny/
Swimlanes.denyupdaterule on each collection that rejects any update whose modifier
$sets aboardIdon which the caller does not have write access, so a cross-board move is
only allowed into a destination board where the user is an active write-capable member.
Affected Wekan v9.35 and earlier. Thanks to 0xzap, xet7 and Claude.
and adds the following updates:
- Update release website script version numbering.
Thanks to xet7 and Claude.
Thanks to above GitHub users for their contributions and translators for their translations.
Security Fixes
- GHSA-gm7v-pc38-53jr — Fixed BoardBleed: prevented authenticated users from moving Cards/Lists/Swimlanes into private boards they do not belong to by adding cross‑board move denial checks.
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About wekan
The Open Source kanban, built with Meteor. GitHub issues/PRs are only for FLOSS Developers, not for support, support is at https://wekan.fi/commercial-support/ . New English strings for new features at imports/i18n/data/en.i18n.json . Non-English translations at https://app.transifex.com/wekan/wekan only.
Related context
Related tools
Beta — feedback welcome: [email protected]