Key Vulnerability Information Title: Wekan <8.21 IDOR via REST API / improper object relationship validation Description: Certain REST endpoints for checklist items accepted boardId/cardId/checklistId parameters but did not sufficiently verify that the referenced checklist item belonged to the specified card and board. This could allow an authenticated user with access to one board to act on checklist items from another board by guessing or obtaining object IDs. The fix adds relationship checks (item.cardId, item.checklistId, card.boardId) and returns 404 when mismatched. Source: https://github.com/wekan/wekan/commit/251d49eea94834cf351bb395808f4a56fb4dbb44 User: MegaManSec (UID 94702) Submission Date: 01/20/2026 12:37 PM Moderation Date: 02/04/2026 03:46 PM Status: Accepted VulDB Entry: 234266 [WeKan up to 8.20 REST models/checklistItems.js item.cardId/item.checklistId/card.boardId Checklist REST Bleed improper authorization] Points: 20