Skip to main content

WeKan CVE-2026-25560

HIGH
LDAP Injection (CWE-90)
2026-02-07 disclosure@vulncheck.com
8.7
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Pre-auth LDAP login path is network-reachable with low complexity and no privileges (AV:N/AC:L/PR:N/UI:N); impact is directory-query manipulation/disclosure, so C:H with I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jul 14, 2026 - 17:07 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 14, 2026 - 17:04 vuln.today
Analysis Updated
Jul 14, 2026 - 17:04 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jul 14, 2026 - 16:22 NVD
CRITICAL HIGH
CVSS changed
Jul 14, 2026 - 16:22 NVD
9.8 (CRITICAL) 8.7 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 10, 2026 - 22:03 nvd
Patch available
CVE Published
Feb 07, 2026 - 22:16 nvd
CRITICAL 9.8

DescriptionCVE.org

WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.

AnalysisAI

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and DN construction during login by supplying crafted usernames that are embedded into queries without escaping. Because the malicious input reaches the authentication path directly (CVSS 4.0 AV:N/PR:N/UI:N, base score 8.7), an attacker can tamper with the authentication logic to enumerate directory data or subvert the intended search filter. No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.05%), but a vendor patch (commit 0b0e16c) is available.

Technical ContextAI

WeKan is an open-source Meteor/Node.js kanban board that supports LDAP-backed authentication through its bundled wekan-ldap package. The flaw is CWE-90 (LDAP Injection): in packages/wekan-ldap/server/ldap.js the user-supplied username was interpolated directly into LDAP search filters (e.g. (${item}=${username})), into the #{username} placeholder of configured filter templates, and into DN strings such as ${username}@${Default_Domain} and ${User_Authentication_Field}=${username},${BaseDN}. Because LDAP filter metacharacters (such as *, (, ), \, and NUL) were not escaped, an attacker could break out of the intended predicate and inject additional filter logic or alter the resolved DN. The fix introduces an escapedToHex() routine applied to the username before it is placed into every filter and DN, neutralizing the special characters.

RemediationAI

Upgrade to WeKan 8.19 or later, which applies escapedToHex() escaping to usernames before they are used in LDAP search filters and DN construction (Vendor-released patch: 8.19; see commit https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb and advisory https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection). If immediate patching is not possible, reduce exposure by disabling LDAP authentication and falling back to local accounts or an OAuth/OIDC provider (trade-off: users must re-authenticate through a different mechanism and directory-based provisioning is lost), and by restricting network access to the WeKan login endpoint to trusted networks or behind a reverse proxy/VPN (trade-off: may block legitimate remote users). Where an intermediary allows it, filtering or rejecting login usernames containing LDAP metacharacters such as *, (, ), \, =, and NUL can serve as a stopgap, though input filtering is error-prone and should not replace the upgrade.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2026-44930 CRITICAL
9.8 May 22

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

Share

CVE-2026-25560 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy