External risk intelligence

Wekan Header Login Vulnerability Allows Remote Account Takeover.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-55652

Wekan is a web-based kanban application designed for team collaboration, which is commonly deployed as a web service accessible over a network. Because it functions as a web application that facilitates user login and authentication, it is often exposed to the internet or wide internal networks to allow remote access for users.

Authentication Bypass

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in Wekan, an open-source project management tool. The issue allows unauthenticated attackers to potentially gain administrative session tokens by exploiting how the system trusts specific header information, bypassing authentication. The main concern is confirming relevance and exposure.

  • Unauthenticated users can bypass login protections.
  • Allows unauthorized access to sensitive project data.
  • Confirm if Wekan is used and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker can bypass authentication by sending a crafted request to the Wekan application. By manipulating the `X-Forwarded-For` header, the attacker can trick the application into believing the request originates from a trusted IP address, even if it doesn't. This allows the attacker to impersonate any user, including an administrator, and gain a session token.

  • Unauthenticated network access required.
  • Trusted IP header manipulation.
  • Admin session token obtained.

Live Threat

Current exploitation, exposure, and threat context

When the `HEADER_LOGIN_TRUSTED_IPS` setting is enabled, an unauthenticated attacker could exploit a vulnerability in Wekan by manipulating the `X-Forwarded-For` header. This manipulation could allow them to impersonate any user, including administrators, and obtain a valid session token, potentially leading to unauthorized access and control of the application.

  • Unauthorized access to Wekan application.
  • Exploited via manipulated network headers.
  • System control and data compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Wekan application's authentication bypass vulnerability requires action from teams responsible for its deployment and management. This typically includes application owners, platform or infrastructure teams managing the Wekan instance, and potentially network or security teams monitoring access. The first practical step is to identify all Wekan deployments, assess their network exposure and business criticality, and then locate the accountable owner for each instance to prioritize remediation efforts, considering vendor coordination if applicable.

  • Application owners should address the issue.
  • Verify Wekan instance exposure and criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Wekan?

Wekan is an open-source kanban board application built using the Meteor framework. Teams use it for visual project management, tracking tasks, and collaborating on workflows. Because it is a web-based tool designed for team cooperation, it is typically hosted as a service that users access through their browsers to manage shared boards and project data.

What does CVE-2026-55652 mean for security?

This vulnerability involves Improper Authentication (CWE-287) and Authentication Bypass by Spoofing (CWE-290). In simple terms, the application incorrectly trusts network information provided by the client. An attacker can manipulate specific request headers to trick the system into verifying them as a trusted user, bypassing the normal login process entirely to gain unauthorized access to accounts.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending a specifically crafted request to the Wekan server when the HEADER_LOGIN_TRUSTED_IPS feature is enabled. By injecting a false 'X-Forwarded-For' header, they deceive the system regarding the true origin of the request. This issue does not exist if the trusted IP header feature is disabled or if the application is not configured to accept authentication requests based on those specific network headers.

Do I need to worry about this if my Wekan instance is private?

Halo Surface Signal indicates that Wekan is often deployed as a web service accessible over networks to support remote teams. If your instance is internet-facing, it is at higher risk. However, even on internal networks, any user or device capable of reaching the service can attempt this bypass. You should evaluate your specific deployment's reachability and who can send traffic to your Wekan server.

When should I take action for CVE-2026-55652?

You should prioritize this immediately if you are running a version of Wekan older than 9.46 with header-based login enabled. First, inventory all active Wekan instances to determine which are currently using the affected authentication configuration. Once identified, plan to update to version 9.46 or later, which contains the necessary security patch to stop the application from trusting client-supplied headers.

References