CVE-2026-25565 | THREATINT

Description

WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.

PUBLISHED Reserved 2026-02-02 | Published 2026-02-07 | Updated 2026-02-10 | Assigner VulnCheck

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-863 Incorrect Authorization

Product status

Default status

unaffected

Any version before 8.19

affected

Credits

Joshua Rogers finder

References

github.com/...ommit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285 patch

wekan.fi/ product

www.vulncheck.com/...-read-only-board-roles-can-update-cards third-party-advisory

cve.org (CVE-2026-25565)

nvd.nist.gov (CVE-2026-25565)

Download JSON