From 545566f5663545d16174e0f2399f231aa693ab6e Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Sun, 18 Jan 2026 19:55:48 +0200
Subject: [PATCH] Security Fix 10: BoardTitleRESTBleed.

Thanks to [Joshua Rogers](https://joshua.hu) of [Aisle Research](https://aisle.com) and xet7.
---
 models/boards.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/models/boards.js b/models/boards.js
index 323966752..787dc790c 100644
--- a/models/boards.js
+++ b/models/boards.js
@@ -2433,8 +2433,8 @@ if (Meteor.isServer) {
   */
   JsonRoutes.add('PUT', '/api/boards/:boardId/title', function(req, res) {
     try {
-      Authentication.checkUserId(req.userId);
       const boardId = req.params.boardId;
+      Authentication.checkBoardWriteAccess(req.userId, boardId);
       const title = req.body.title;
 
       Boards.direct.update({ _id: boardId }, { $set: { title } });