From 08a6f084eba09487743a7c807fb4a9000fcfa9ac Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Mon, 29 Dec 2025 16:54:04 +0200
Subject: [PATCH] Security Fix 6: Checklist delete IDOR: checklist not verified
 against board/card.

Thanks to Joshua Rogers of joshua.hu, Twitter MegaManSec !
---
 models/checklists.js | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/models/checklists.js b/models/checklists.js
index d30dcc1be..8d95b6f17 100644
--- a/models/checklists.js
+++ b/models/checklists.js
@@ -436,8 +436,36 @@ if (Meteor.isServer) {
     '/api/boards/:boardId/cards/:cardId/checklists/:checklistId',
     function(req, res) {
       const paramBoardId = req.params.boardId;
+      const paramCardId = req.params.cardId;
       const paramChecklistId = req.params.checklistId;
       Authentication.checkBoardAccess(req.userId, paramBoardId);
+
+      // Verify the card belongs to the board
+      const card = ReactiveCache.getCard({
+        _id: paramCardId,
+        boardId: paramBoardId,
+      });
+      if (!card) {
+        JsonRoutes.sendResult(res, {
+          code: 404,
+          data: { error: 'Card not found or does not belong to the specified board' },
+        });
+        return;
+      }
+
+      // Verify the checklist exists and belongs to the card
+      const checklist = ReactiveCache.getChecklist({
+        _id: paramChecklistId,
+        cardId: paramCardId,
+      });
+      if (!checklist) {
+        JsonRoutes.sendResult(res, {
+          code: 404,
+          data: { error: 'Checklist not found or does not belong to the specified card' },
+        });
+        return;
+      }
+
       Checklists.remove({ _id: paramChecklistId });
       JsonRoutes.sendResult(res, {
         code: 200,