Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.
AnalysisAI
Privilege escalation in WeKan (versions prior to 8.35) allows authenticated board members with low privileges to perform administrative integration management without authorization checks. Attackers can enumerate webhook URLs and secrets, create/modify/delete integrations, and manipulate integration activities through unprotected REST API endpoints. CVSS 8.7 reflects high confidentiality and integrity impact with network attack vector and low complexity. VulnCheck reported this vulnerability with vendor patch available in version 8.35 and commit 2cd702f. EPSS data not available; no confirmed active exploitation or POC identified at time of analysis.
Technical ContextAI
WeKan is an open-source kanban board application built on Meteor framework with REST API integration capabilities. This vulnerability stems from CWE-862 (Missing Authorization) in the JsonRoutes REST API handlers that govern integration management functions. The affected endpoints fail to verify whether the authenticated user possesses administrative privileges before executing sensitive operations like webhook enumeration, integration creation/modification/deletion, and activity management. The CVSS 4.0 vector indicates network-accessible exploitation (AV:N) requiring only low-privilege authentication (PR:L) with no additional attack complexity (AC:L/AT:N). The high confidentiality impact (VC:H) reflects exposure of webhook URLs and potential secrets, while high integrity impact (VI:H) indicates unauthorized modification of integration configurations. CPE cpe:2.3:a:wekan:wekan identifies the affected product across all versions prior to the fix.
RemediationAI
Upgrade to WeKan version 8.35 or later, which implements proper authorization checks in Integration REST API endpoints per commit 2cd702f48df2b8aef0e7381685f8e089986a18a4 (https://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4). Release available at https://github.com/wekan/wekan/releases/tag/v8.35. For environments unable to immediately upgrade, implement compensating controls: restrict board membership to trusted users only, audit integration configurations for unauthorized changes, rotate webhook URLs and secrets, monitor API access logs for suspicious integration-related requests from low-privilege accounts, and consider network-level restrictions to Integration API endpoints using reverse proxy rules (note this may impact legitimate integration functionality). Review and remove any unauthorized integrations created before patching. No workaround restores proper authorization without upgrading.
packages/wekan-ldap/server/ldap.js in Wekan before 4.87 can process connections even though they are not authorized by t
OS command injection in Wekan (the open-source Meteor-based kanban board) before version 9.07 lets an authenticated user
Authentication bypass in Wekan (open-source Meteor kanban) before version 9.46 lets an unauthenticated attacker imperson
A stored cross-site scripting (Stored XSS) vulnerability in file preview in WeKan before 6.75 allows remote authenticate
Wekan, open source kanban board system, between version 3.12 and 4.11, is vulnerable to multiple stored cross-site scrip
Account takeover in Wekan (open-source Meteor kanban) before 9.32 allows an attacker who controls an OIDC provider accou
LDAP filter injection in WeKan before 8.19 allows remote unauthenticated attackers to manipulate LDAP search filters and
Improper access control in Wekan (self-hosted open-source Meteor kanban) before version 9.37 lets any authenticated user
Wekan versions 8.31.0 through 8.33 expose webhook URLs and authentication tokens to all board members through unfiltered
Server-Side Request Forgery in Wekan 8.32-8.33 allows authenticated users to force the server to make arbitrary HTTP req
Privilege escalation in Wekan (self-hosted Meteor kanban) before 9.32 lets any authenticated user directly invoke OIDC-o
Wekan versions 8.31.0 through 8.33 expose global webhook configurations including sensitive URLs and authentication toke
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25117
GHSA-f2hf-mr43-85mv