WeKan
CVE-2026-25561
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable authenticated API (AV:N/PR:L) with no UI; impact is limited data-relationship tampering (I:L) with no confidentiality or availability loss, so I assess lower than the vendor's VI:H.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships.
AnalysisAI
Improper authorization in the WeKan attachment upload API (versions prior to 8.19) lets an authenticated low-privileged user submit inconsistent object identifiers (boardId, cardId, swimlaneId, listId) that the server fails to cross-validate, allowing attachments to be associated with or moved across card/board relationships the user should not control. The affected component is the self-hosted open-source kanban platform WeKan; the fix (commit 1d16955b) adds server-side checks that a card actually belongs to the named board, swimlane, and list. No public exploit identified at time of analysis, EPSS is negligible (0.01%), and it is not in CISA KEV.
Technical ContextAI
WeKan is a Meteor/Node.js self-hosted kanban application (a Trello-style board tool). The flaw resides in server/routes/attachmentApi.js, the REST endpoint handling attachment uploads and moves. The root cause is CWE-863 (Incorrect Authorization): the API trusted caller-supplied relationship identifiers instead of verifying that the referenced card genuinely belongs to the specified board and that the swimlaneId/listId match the card's real swimlane and list. The patch inserts explicit consistency checks (card.boardId ! boardId, card.swimlaneId ! swimlaneId, card.listId !== listId, plus equivalent target-card checks on move operations) that return HTTP 400/404 on mismatch, closing the gap where mismatched object relationships were accepted.
RemediationAI
Upgrade WeKan to version 8.19 or later, which includes the attachment-API relationship validation fix (commit 1d16955b6d4f0a0282e89c2c1b0415c7597019b8); because the input provides a fix commit and an implied release boundary (prior to 8.19), treat 8.19 as the patched version but confirm the exact tagged release on the WeKan project before deploying. If immediate upgrade is not possible, restrict who can reach the attachment upload/move endpoints - limit WeKan accounts to trusted users, keep the instance behind authenticated network controls, and monitor attachment API activity for cross-board identifier mismatches; the trade-off is that tightening account provisioning reduces collaboration convenience but shrinks the pool of users who could abuse the authenticated endpoint. Review the VulnCheck advisory (https://www.vulncheck.com/advisories/wekan-attachment-upload-object-relationship-validation-bypass) for vendor guidance.
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t
OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today