CVE-2026-25564 | THREATINT

Description

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.

PUBLISHED Reserved 2026-02-02 | Published 2026-02-07 | Updated 2026-02-10 | Assigner VulnCheck

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-639 Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

Any version before 8.19

affected

Credits

Joshua Rogers finder

References

github.com/...ommit/08a6f084eba09487743a7c807fb4a9000fcfa9ac patch

wekan.fi/ product

www.vulncheck.com/...dor-via-missing-relationship-validation third-party-advisory

cve.org (CVE-2026-25564)

nvd.nist.gov (CVE-2026-25564)

Download JSON