Skip to content

wekan

v9.31 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 7d Productivity & Wikis
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

docker javascript kanban meteor real-time sandstorm
+2 more
snapcraft wekan

Affected surfaces

auth breaking_upgrade

ReleasePort's take

Moderate signal
editorial:auto 7d

The release fixes a critical security issue by moving Attachment Storage options to the Admin Panel and exposing Meteor user context to Express endpoints.

Why it matters: Addresses GHSA-g6vm-7757-pr88, a critical security flaw affecting attachment storage configuration and API authentication; immediate mitigation required for affected deployments.

Summary

AI summary

Updates https://github.com/wekan/wekan/commit/8351bba818a04c9db11a0e3fa380a10f8d51482c, https://github.com/wekan/wekan/commit/8cda80752fd56c870cb139600fedc82643874c3b, and https://github.com/wekan/wekan/commit/c8430a8c1419cc68023ed918e26f7d4f279968ca across a mixed release.

Changes in this release

Security Critical

Fixes critical security issue GHSA-g6vm-7757-pr88 by moving Attachment Storage options to Admin Panel and exposing Meteor user context to Express endpoints.

Fixes critical security issue GHSA-g6vm-7757-pr88 by moving Attachment Storage options to Admin Panel and exposing Meteor user context to Express endpoints.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Low

Adds Header Login feature.

Adds Header Login feature.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Low

Updates platforms configuration.

Updates platforms configuration.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Low

Updates Windows installation documentation.

Updates Windows installation documentation.

Source: llm_adapter@2026-05-27

Confidence: high
Feature Low

Upgrades Meteor runtime to 3.5‑beta.12.

Upgrades Meteor runtime to 3.5‑beta.12.

Source: llm_adapter@2026-05-27

Confidence: high
Dependency Low

Bumps docker/login-action from 4.1.0 to 4.2.0.

Bumps docker/login-action from 4.1.0 to 4.2.0.

Source: llm_adapter@2026-05-27

Confidence: high
Dependency Low

Bumps docker/metadata-action from 6.0.0 to 6.1.0.

Bumps docker/metadata-action from 6.0.0 to 6.1.0.

Source: llm_adapter@2026-05-27

Confidence: high
Dependency Low

Bumps docker/build-push-action from 7.1.0 to 7.2.0.

Bumps docker/build-push-action from 7.1.0 to 7.2.0.

Source: llm_adapter@2026-05-27

Confidence: high
Bugfix Low

Fixes typo.

Fixes typo.

Source: llm_adapter@2026-05-27

Confidence: high
Full changelog

This release fixes the following CRITICAL SECURITY ISSUES:

and adds the following updates:

and adds the following new features:

and fixes the following bugs:

Thanks to above GitHub users for their contributions and translators for their translations.

Security Fixes

  • GHSA-g6vm-7757-pr88 – moved Attachment Storage options from board to Admin Panel and exposed Meteor user context to Express endpoints
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track wekan

Get notified when new releases ship.

Sign up free

About wekan

The Open Source kanban, built with Meteor. GitHub issues/PRs are only for FLOSS Developers, not for support, support is at https://wekan.fi/commercial-support/ . New English strings for new features at imports/i18n/data/en.i18n.json . Non-English translations at https://app.transifex.com/wekan/wekan only.

All releases →

Related context

Related tools

Beta — feedback welcome: [email protected]