Horizon Alert
Summary of the vulnerability and why it matters
This advisory details a vulnerability in Wekan, an open-source kanban application, that could allow an attacker to gain unauthorized access to user accounts by exploiting a flaw in how external login credentials are merged with existing accounts. The issue arises when an attacker uses an external identity provider with an email or username that matches an existing Wekan user, potentially allowing them to hijack that account.
- Unverified external logins can hijack user accounts.
- High-impact vulnerability affects account integrity.
- Confirm relevance and assess potential exposure.
Attack Path
How an attacker could exploit the issue
An attacker can compromise user accounts by leveraging a weakness in how Wekan handles OpenID Connect (OIDC) logins. If an attacker has an OIDC account associated with an email address or username that is already used by a victim's Wekan account, they can exploit the system to merge their OIDC credentials into the victim's account. This allows the attacker to then log in and control the victim's Wekan account.
- Attacker uses OIDC account matching victim's email.
- Server merges OIDC login into existing account.
- Attacker gains unauthorized account access.
Live Threat
Current exploitation, exposure, and threat context
When supported by the advisory, an attacker could merge an attacker-controlled OIDC login into an existing victim's Wekan account by using an OIDC provider account with the victim's email or username. This could allow the attacker to impersonate the victim and access their account.
- User accounts and their associated data.
- Merging via matching email or username.
- Unauthorized account access and control.
Operational Fix
Recommended remediation, mitigation, and detection steps
This vulnerability in Wekan's user account merging, particularly concerning OIDC integrations, likely falls under the responsibility of the platform or application owner who manages the Wekan deployment. The first practical step is to identify all Wekan instances, assess their exposure to OIDC providers and the internet, and confirm business criticality to prioritize remediation efforts.
- Platform or application owners should own this issue.
- Verify OIDC integration reachability and user impact.
- Plan remediation based on identified risk.