Skip to main content

WeKan CVE-2026-41454

| EUVDEUVD-2026-25117 HIGH
Missing Authorization (CWE-862)
2026-04-22 VulnCheck GHSA-f2hf-mr43-85mv
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 23, 2026 - 16:57 vuln.today
cvss_changed
Analysis Generated
Apr 23, 2026 - 06:56 vuln.today
CVSS changed
Apr 22, 2026 - 22:22 NVD
8.3 (HIGH) 8.7 (HIGH)
EUVD ID Assigned
Apr 22, 2026 - 21:46 euvd
EUVD-2026-25117
Analysis Generated
Apr 22, 2026 - 21:46 vuln.today
Patch released
Apr 22, 2026 - 21:46 nvd
Patch available
CVE Published
Apr 22, 2026 - 21:08 nvd
HIGH 8.7

DescriptionCVE.org

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.

AnalysisAI

Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform administrative integration management without authorization checks. Attackers can enumerate webhook URLs and secrets, create/modify/delete integrations, and manipulate integration activities through unprotected REST API endpoints. CVSS 8.7 reflects high confidentiality and integrity impact with network attack vector and low complexity. VulnCheck reported this vulnerability with vendor patch available in version 8.35 and commit 2cd702f. EPSS data not available; no confirmed active exploitation or POC identified at time of analysis.

Technical ContextAI

WeKan is an open-source kanban board application built on Meteor framework with REST API integration capabilities. This vulnerability stems from CWE-862 (Missing Authorization) in the JsonRoutes REST API handlers that govern integration management functions. The affected endpoints fail to verify whether the authenticated user possesses administrative privileges before executing sensitive operations like webhook enumeration, integration creation/modification/deletion, and activity management. The CVSS 4.0 vector indicates network-accessible exploitation (AV:N) requiring only low-privilege authentication (PR:L) with no additional attack complexity (AC:L/AT:N). The high confidentiality impact (VC:H) reflects exposure of webhook URLs and potential secrets, while high integrity impact (VI:H) indicates unauthorized modification of integration configurations. CPE cpe:2.3:a:wekan:wekan identifies the affected product across all versions prior to the fix.

RemediationAI

Upgrade to WeKan version 8.35 or later, which implements proper authorization checks in Integration REST API endpoints per commit 2cd702f48df2b8aef0e7381685f8e089986a18a4 (https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4). Release available at https://github.com/wekan/wekan/releases/tag/v8.35. For environments unable to immediately upgrade, implement compensating controls: restrict board membership to trusted users only, audit integration configurations for unauthorized changes, rotate webhook URLs and secrets, monitor API access logs for suspicious integration-related requests from low-privilege accounts, and consider network-level restrictions to Integration API endpoints using reverse proxy rules (note this may impact legitimate integration functionality). Review and remove any unauthorized integrations created before patching. No workaround restores proper authorization without upgrading.

More in Wekan

View all
CVE-2021-3309 HIGH POC
8.1 Jan 26

packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t

CVE-2026-52891 CRITICAL
9.9 Jul 15

OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user

CVE-2026-55652 CRITICAL
9.8 Jul 15

Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson

CVE-2023-28485 MEDIUM POC
5.4 Jun 26

A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate

CVE-2021-20654 MEDIUM POC
5.4 Feb 10

Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip

CVE-2026-52893 CRITICAL
9.2 Jul 15

Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou

CVE-2026-25560 HIGH
8.7 Feb 07

LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and

CVE-2026-55234 HIGH
8.5 Jul 15

Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user

CVE-2026-30845 HIGH
8.2 Mar 06

Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered

CVE-2026-30844 HIGH
8.1 Mar 06

Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req

CVE-2026-53444 HIGH
7.6 Jul 15

Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o

CVE-2026-30846 HIGH
7.5 Mar 06

Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication toke

Share

CVE-2026-41454 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy