External risk intelligence

Wekan Accounts Merge Vulnerability Via OIDC Login.

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-52893

Wekan is a web-based kanban application typically deployed as a public-facing or team-accessible web service. Because it relies on web interfaces and external authentication integrations like OIDC, it is commonly exposed to network access in real-world deployment scenarios.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a vulnerability in Wekan, an open-source kanban application, that could allow an attacker to gain unauthorized access to user accounts by exploiting a flaw in how external login credentials are merged with existing accounts. The issue arises when an attacker uses an external identity provider with an email or username that matches an existing Wekan user, potentially allowing them to hijack that account.

  • Unverified external logins can hijack user accounts.
  • High-impact vulnerability affects account integrity.
  • Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can compromise user accounts by leveraging a weakness in how Wekan handles OpenID Connect (OIDC) logins. If an attacker has an OIDC account associated with an email address or username that is already used by a victim's Wekan account, they can exploit the system to merge their OIDC credentials into the victim's account. This allows the attacker to then log in and control the victim's Wekan account.

  • Attacker uses OIDC account matching victim's email.
  • Server merges OIDC login into existing account.
  • Attacker gains unauthorized account access.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker could merge an attacker-controlled OIDC login into an existing victim's Wekan account by using an OIDC provider account with the victim's email or username. This could allow the attacker to impersonate the victim and access their account.

  • User accounts and their associated data.
  • Merging via matching email or username.
  • Unauthorized account access and control.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Wekan's user account merging, particularly concerning OIDC integrations, likely falls under the responsibility of the platform or application owner who manages the Wekan deployment. The first practical step is to identify all Wekan instances, assess their exposure to OIDC providers and the internet, and confirm business criticality to prioritize remediation efforts.

  • Platform or application owners should own this issue.
  • Verify OIDC integration reachability and user impact.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Wekan?

Wekan is an open-source, web-based kanban board application built on the Meteor framework. It is used by teams to organize tasks and projects visually through cards and columns. Because it is a collaborative tool, it often integrates with external identity providers using OpenID Connect (OIDC) to streamline how users sign in, which is the specific feature involved in this security vulnerability.

What is the vulnerability in CVE-2026-52893?

This vulnerability is an instance of Improper Authentication (CWE-287). It exists because the application automatically merges external OIDC login credentials with existing internal accounts if the email or username matches. Critically, it performs this merge without verifying if the user actually owns that email address or checking if the email has been verified by the OIDC provider, allowing an attacker to link their own credentials to a victim's account.

How does an attacker trigger this account merge?

An attacker triggers this by logging into Wekan using an OIDC identity provider account that they control, which happens to share an email or username with a legitimate Wekan user. The system incorrectly trusts this match and binds the attacker's external account to the victim's local account. Note that this attack does not involve guessing a password; it exploits the trust logic in the account creation hook that runs when an OIDC user first logs in.

Is my Wekan instance at risk?

Halo Surface Signal indicates that Wekan is typically deployed as a web-accessible service, often exposed to the internet to support team collaboration. If your instance uses OIDC for authentication, it is likely reachable by the network paths required to exploit this flaw. You should prioritize assessment if your Wekan deployment is internet-facing or allows OIDC logins, as these factors significantly increase the likelihood that an attacker could reach the vulnerable component.

How do I secure my Wekan installation?

The fix for this issue is included in Wekan version 9.32. You should prioritize updating your instance to this version or newer to resolve the insecure account merging logic. Before patching, take inventory of all your Wekan deployments and confirm which ones are configured to use OIDC. Planning your update path to version 9.32 is the most effective way to eliminate this risk to user account integrity.

References