WeKan
CVE-2026-25560
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Pre-auth LDAP login path is network-reachable with low complexity and no privileges (AV:N/AC:L/PR:N/UI:N); impact is directory-query manipulation/disclosure, so C:H with I:N/A:N.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.
AnalysisAI
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and DN construction during login by supplying crafted usernames that are embedded into queries without escaping. Because the malicious input reaches the authentication path directly (CVSS 4.0 AV:N/PR:N/UI:N, base score 8.7), an attacker can tamper with the authentication logic to enumerate directory data or subvert the intended search filter. No public exploit is identified at time of analysis and EPSS exploitation probability is low (0.05%), but a vendor patch (commit 0b0e16c) is available.
Technical ContextAI
WeKan is an open-source Meteor/Node.js kanban board that supports LDAP-backed authentication through its bundled wekan-ldap package. The flaw is CWE-90 (LDAP Injection): in packages/wekan-ldap/server/ldap.js the user-supplied username was interpolated directly into LDAP search filters (e.g. (${item}=${username})), into the #{username} placeholder of configured filter templates, and into DN strings such as ${username}@${Default_Domain} and ${User_Authentication_Field}=${username},${BaseDN}. Because LDAP filter metacharacters (such as *, (, ), \, and NUL) were not escaped, an attacker could break out of the intended predicate and inject additional filter logic or alter the resolved DN. The fix introduces an escapedToHex() routine applied to the username before it is placed into every filter and DN, neutralizing the special characters.
RemediationAI
Upgrade to WeKan 8.19 or later, which applies escapedToHex() escaping to usernames before they are used in LDAP search filters and DN construction (Vendor-released patch: 8.19; see commit https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb and advisory https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection). If immediate patching is not possible, reduce exposure by disabling LDAP authentication and falling back to local accounts or an OAuth/OIDC provider (trade-off: users must re-authenticate through a different mechanism and directory-based provisioning is lost), and by restricting network access to the WeKan login endpoint to trusted networks or behind a reverse proxy/VPN (trade-off: may block legitimate remote users). Where an intermediary allows it, filtering or rejecting login usernames containing LDAP metacharacters such as *, (, ), \, =, and NUL can serve as a stopgap, though input filtering is error-prone and should not replace the upgrade.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
Same weakness CWE-90 – LDAP Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today