WeKan
CVE-2026-25563
HIGH
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable checklist API with low-complexity ID tampering, but a valid account is required (PR:L); impact is integrity-only writes to other boards (I:H, C:N/A:N), scope unchanged.
Primary rating from Vendor (vulncheck).
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
AnalysisAI
Cross-board data tampering in WeKan (the open-source Trello-style kanban board) before version 8.19 lets an authenticated low-privilege user attach checklists to cards on boards they do not own by supplying a mismatched cardId/boardId pair. Because the checklist creation routes never confirm the card actually belongs to the referenced board, any logged-in user can manipulate identifiers to write into other users' boards. No public exploit is identified at time of analysis and EPSS exploitation probability is negligible (0.01%), but the fix is confirmed by an upstream vendor commit.
Technical ContextAI
WeKan is a Meteor/Node.js self-hosted kanban application; the vulnerable code lives in the server-side REST routes in models/checklists.js. The flaw is a classic Insecure Direct Object Reference (CWE-639, Authorization Bypass Through User-Controlled Key): the checklist creation and related checklist endpoints accepted a user-supplied cardId and boardId but performed no relational check that the card actually resides on that board. The vendor patch (commit 5cd875813fdec5a3c40a0358b30a347967c85c14) adds an explicit ReactiveCache.getCard lookup keyed on both _id and boardId across three route handlers, returning HTTP 404 ('Card not found or does not belong to the specified board') when the pairing is invalid - closing the object-reference gap.
RemediationAI
Vendor-released patch: upgrade WeKan to version 8.19 or later, which adds card-to-board ownership verification on the checklist routes (upstream fix confirmed in commit 5cd875813fdec5a3c40a0358b30a347967c85c14; note the reference is a commit rather than a tagged release, so validate the packaged 8.19 build in your channel - Docker/Snap/source). If immediate upgrade is not possible, reduce exposure by limiting account provisioning and restricting who can obtain authenticated WeKan accounts (the attack requires a valid low-privilege login), and, on multi-team deployments, segregate sensitive boards onto separate instances to remove cross-board tampering opportunity; the trade-off is operational overhead and loss of shared-instance convenience. Review the VulnCheck advisory (https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor) and consider auditing checklist-creation API logs for requests where cardId and boardId do not correlate.
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t
OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today