{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "extracted_events": [
              {
                "introduced": "0"
              },
              {
                "fixed": "9.46"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "REFERENCES"
            ]
          },
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "b181889a565254bc9bf79379a34fc7f617ccda28"
            },
            {
              "fixed": "1905d5d68eb1217338c2bcf5c58471ca2d010725"
            }
          ],
          "repo": "https://github.com/wekan/wekan",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-jggc-qvfc-jr6x"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-287",
      "CWE-290"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55652.json"
  },
  "details": "Wekan is open source kanban built with Meteor. Prior to 9.46, header-login with HEADER_LOGIN_TRUSTED_IPS uses getRequestIp() in server/lib/headerLoginAuth.js to trust the client-supplied X-Forwarded-For header before the real socket address, allowing an unauthenticated attacker to send HEADER_LOGIN_ID for any username and receive a meteor_login_token session, including for admin. This issue is fixed in version 9.46.",
  "id": "CVE-2026-55652",
  "modified": "2026-07-19T03:31:16.369446255Z",
  "published": "2026-07-15T21:15:11.246Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/wekan/wekan/releases/tag/v9.46"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55652.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/wekan/wekan/security/advisories/GHSA-jggc-qvfc-jr6x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55652"
    },
    {
      "type": "FIX",
      "url": "https://github.com/wekan/wekan/commit/b181889a565254bc9bf79379a34fc7f617ccda28"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Wekan: Header-login IP allowlist bypass via X-Forwarded-For spoofing in Wekan allows unauthenticated full account takeover (incl. admin)"
}