Skip to main content

Wekan CVE-2026-25859

HIGH
Incorrect Authorization (CWE-863)
2026-02-07 disclosure@vulncheck.com
7.1
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.1 HIGH

Authenticated low-priv user over the network invokes unguarded migration methods, so PR:L/AC:L/AV:N; impact is integrity-focused (I:H) with minor availability (A:L) and no confidentiality loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Jul 14, 2026 - 16:55 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 14, 2026 - 16:54 vuln.today
Analysis Updated
Jul 14, 2026 - 16:54 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 16:22 NVD
8.8 (HIGH) 7.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 10, 2026 - 21:54 nvd
Patch available
CVE Published
Feb 07, 2026 - 22:16 nvd
HIGH 8.8

DescriptionCVE.org

Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.

AnalysisAI

Broken authorization in Wekan versions prior to 8.20 lets any authenticated non-administrative user invoke board migration functionality that should be restricted to board administrators. Because permission checks on the migration methods (e.g. comprehensiveBoardMigration.execute) are insufficient, a low-privileged user can trigger unauthorized migration operations that mutate board structure and data. EPSS is very low (0.05%, 15th percentile) and there is no public exploit identified at time of analysis, but a vendor patch and fix commit are available.

Technical ContextAI

Wekan is a self-hosted, open-source kanban board built on the Meteor JavaScript framework (Node.js + MongoDB), the affected product per CPE cpe:2.3:a:wekan_project:wekan:*. The root cause maps to CWE-863 (Incorrect Authorization): server-side Meteor methods that drive board migration/conversion (the diff references comprehensiveBoardMigration.needsMigration and comprehensiveBoardMigration.execute, plus a client-side migrationManager) did not enforce that the caller holds board-admin privileges. The patch commit (cbb1cd78de3e40264a5e047ace0ce27f8635b4e6) removes automatic migration on board load and refactors migrations so they are only run manually from the sidebar Migrations menu by board admins, swaps the old client migrationManager for an attachmentMigrationManager, and relocates migrationProgress under settings - indicating the fix centralizes and gates the migration trigger rather than exposing it to every board viewer.

RemediationAI

Vendor-released patch: upgrade to Wekan 8.20 or later, which restricts migration functionality to board administrators and disables automatic migration (fix commit https://github.com/wekan/wekan/commit/cbb1cd78de3e40264a5e047ace0ce27f8635b4e6). If you cannot upgrade immediately, reduce exposure by restricting Wekan account provisioning to trusted users and reviewing which users hold board access, since exploitation requires an authenticated low-privileged account - shrinking the authenticated user population directly shrinks the attack surface, at the cost of collaboration convenience. Monitor server logs for unexpected calls to migration/conversion methods and unexpected board-structure changes so unauthorized migration operations can be detected and rolled back. See the VulnCheck advisory (https://www.vulncheck.com/advisories/wekan-migration-functionality-insufficient-permission-checks) and vendor site (https://wekan.fi/) for release details.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-41454 HIGH
8.7 Apr 22

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

Share

CVE-2026-25859 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy