Skip to main content

WeKan CVE-2026-25561

HIGH
Incorrect Authorization (CWE-863)
2026-02-07 disclosure@vulncheck.com
7.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Network-reachable authenticated API (AV:N/PR:L) with no UI; impact is limited data-relationship tampering (I:L) with no confidentiality or availability loss, so I assess lower than the vendor's VI:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Jul 14, 2026 - 17:05 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 14, 2026 - 17:03 vuln.today
Analysis Updated
Jul 14, 2026 - 17:03 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 16:22 NVD
7.5 (HIGH) 7.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 10, 2026 - 22:02 nvd
Patch available
CVE Published
Feb 07, 2026 - 22:16 nvd
HIGH 7.5

DescriptionCVE.org

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships.

AnalysisAI

Improper authorization in the WeKan attachment upload API (versions prior to 8.19) lets an authenticated low-privileged user submit inconsistent object identifiers (boardId, cardId, swimlaneId, listId) that the server fails to cross-validate, allowing attachments to be associated with or moved across card/board relationships the user should not control. The affected component is the self-hosted open-source kanban platform WeKan; the fix (commit 1d16955b) adds server-side checks that a card actually belongs to the named board, swimlane, and list. No public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not in CISA KEV.

Technical ContextAI

WeKan is a Meteor/Node.js self-hosted kanban application (a Trello-style board tool). The flaw resides in server/routes/attachmentApi.js, the REST endpoint handling attachment uploads and moves. The root cause is CWE-863 (Incorrect Authorization): the API trusted caller-supplied relationship identifiers instead of verifying that the referenced card genuinely belongs to the specified board and that the swimlaneId/listId match the card's real swimlane and list. The patch inserts explicit consistency checks (card.boardId ! boardId, card.swimlaneId ! swimlaneId, card.listId !== listId, plus equivalent target-card checks on move operations) that return HTTP 400/404 on mismatch, closing the gap where mismatched object relationships were accepted.

RemediationAI

Upgrade WeKan to version 8.19 or later, which includes the attachment-API relationship validation fix (commit 1d16955b6d4f0a0282e89c2c1b0415c7597019b8); because the input provides a fix commit and an implied release boundary (prior to 8.19), treat 8.19 as the patched version but confirm the exact tagged release on the WeKan project before deploying. If immediate upgrade is not possible, restrict who can reach the attachment upload/move endpoints - limit WeKan accounts to trusted users, keep the instance behind authenticated network controls, and monitor attachment API activity for cross-board identifier mismatches; the trade-off is that tightening account provisioning reduces collaboration convenience but shrinks the pool of users who could abuse the authenticated endpoint. Review the VulnCheck advisory (https://www.vulncheck.com/advisories/wekan-attachment-upload-object-relationship-validation-bypass) for vendor guidance.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

Share

CVE-2026-25561 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy