Skip to main content

WeKan CVE-2026-25566

HIGH
Incorrect Authorization (CWE-863)
2026-02-07 disclosure@vulncheck.com
7.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Authenticated low-priv user over network, no UI (PR:L, AV:N, UI:N); high integrity from unauthorized cross-board moves, low confidentiality from viewing foreign cards, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

9
Analysis Updated
Jul 14, 2026 - 16:59 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 14, 2026 - 16:56 vuln.today
Analysis Updated
Jul 14, 2026 - 16:56 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 16:22 vuln.today
cvss_changed
Severity Changed
Jul 14, 2026 - 16:22 NVD
MEDIUM HIGH
CVSS changed
Jul 14, 2026 - 16:22 NVD
5.4 (MEDIUM) 7.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 18, 2026 - 20:43 nvd
Patch available
CVE Published
Feb 07, 2026 - 22:16 nvd
MEDIUM 5.4

DescriptionCVE.org

WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.

AnalysisAI

Improper authorization in WeKan's card-move API lets an authenticated low-privilege user relocate cards to boards, lists, and swimlanes they do not control, because the destination is trusted without verifying access rights or that the target objects belong to the destination board. All WeKan versions before 8.19 are affected; no public exploit is identified at time of analysis and EPSS is negligible (0.01%), but the fixing commit publicly documents the missing checks, lowering the bar to reproduce.

Technical ContextAI

WeKan is an open-source, self-hosted Kanban board (a Trello alternative) built on Meteor/Node.js with a MongoDB backend. The flaw lives in the REST card-move logic in models/cards.js, which accepts caller-supplied newBoardId, newListId, and newSwimlaneId parameters. This is a CWE-863 (Incorrect Authorization) issue: the code performed the move without calling Authentication.checkBoardAccess on the destination board and without confirming that the destination list and swimlane actually belong to that board. The vendor fix (commit 198509e) adds an explicit checkBoardAccess call plus ReactiveCache lookups that reject the request with HTTP 404 when the destination list or swimlane does not exist under the target board.

RemediationAI

Vendor-released patch: upgrade to WeKan 8.19 or later, which adds destination board access validation and list/swimlane ownership checks in the card-move API (fix commit https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e). If immediate upgrade is not possible, restrict account provisioning so only trusted users hold board membership, and place the WeKan instance behind network/access controls such as a VPN or SSO-gated reverse proxy to shrink the pool of potential authenticated attackers; note these controls do not stop an already-registered malicious user and only reduce exposure. Until patched, monitor application logs and audit trails for unexpected cross-board card moves as a detective control. See the VulnCheck advisory at https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization for details.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

Share

CVE-2026-25566 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy