Skip to main content

WeKan CVE-2026-25565

HIGH
Incorrect Authorization (CWE-863)
2026-02-07 disclosure@vulncheck.com
7.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.3 MEDIUM

Authenticated read-only board member (PR:L) exploits a network API with low complexity and no user interaction; impact is integrity-only (I:H), no confidentiality or availability effect, scope unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

10
Analysis Updated
Jul 14, 2026 - 17:00 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 14, 2026 - 16:59 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 14, 2026 - 16:58 vuln.today
Analysis Updated
Jul 14, 2026 - 16:58 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jul 14, 2026 - 16:22 NVD
MEDIUM HIGH
CVSS changed
Jul 14, 2026 - 16:22 NVD
6.5 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 10, 2026 - 21:57 nvd
Patch available
CVE Published
Feb 07, 2026 - 22:16 nvd
MEDIUM 6.5

DescriptionCVE.org

WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.

AnalysisAI

Privilege escalation via broken authorization in WeKan (the open-source kanban board) before 8.19 lets users holding read-only board roles modify cards, lists, and swimlanes that should require write access. The flaw stems from card/list/swimlane update API routes calling a read-level access check instead of a write-level check, letting a low-privileged but authenticated member tamper with data they should only be able to view. There is no public exploit identified at time of analysis and EPSS is negligible (0.01%), but the fix is confirmed in an upstream commit and the CVSS 4.0 base score is 7.1.

Technical ContextAI

WeKan is a Meteor/Node.js self-hosted Trello-style kanban application; its REST API is defined in server-side model files (models/cards.js, models/lists.js, models/swimlanes.js, models/boards.js). The root cause is CWE-863 (Incorrect Authorization): the affected JsonRoutes handlers invoked Authentication.checkBoardAccess(), which merely confirms the caller can read the board, on endpoints that mutate state. WeKan's role model distinguishes several restricted member types (isReadOnly, isReadAssignedOnly, isCommentOnly, isNoComments, isWorker), and the correct gate must exclude all of them. The patch (commit 181f837) introduces Authentication.checkBoardWriteAccess(), which verifies the user is an active board member who is not read-only, read-assigned-only, comment-only, no-comments, or worker, and swaps it in across card update, card move (including destination-board validation), cards_count, list, and swimlane mutation routes; a related utils.js helper (allowIsAnyBoardMember) was also hardened to exclude read-only and no-comments roles. The affected package is identified by CPE cpe:2.3:a:wekan_project:wekan.

RemediationAI

Upgrade WeKan to version 8.19 or later, which incorporates the authorization fix (Authentication.checkBoardWriteAccess) applied in commit 181f837; this is the primary and recommended remediation. Patch details and the source fix are at https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285 and the advisory at https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards. If you cannot upgrade immediately, reduce exposure by auditing board memberships and removing or converting untrusted read-only/comment-only/worker members from sensitive boards, and by restricting network access to the WeKan API to trusted users so that only accounts you fully trust can reach the mutation endpoints; note the trade-off that this limits legitimate collaboration and does not close the flaw for any read-only user who retains access. Given the impact is integrity-only, also rely on board activity history to detect and roll back unauthorized card, list, or swimlane changes until the upgrade is applied.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

Share

CVE-2026-25565 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy