CVE-2026-25563 | THREATINT

Description

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.

PUBLISHED Reserved 2026-02-02 | Published 2026-02-07 | Updated 2026-02-10 | Assigner VulnCheck

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

Any version before 8.19

affected

Credits

Joshua Rogers finder

References

github.com/...ommit/5cd875813fdec5a3c40a0358b30a347967c85c14 patch

wekan.fi/ product

www.vulncheck.com/...kan-checklist-creation-cross-board-idor third-party-advisory

cve.org (CVE-2026-25563)

nvd.nist.gov (CVE-2026-25563)

Download JSON