CVE-2025-65779
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-15

Last updated on: 2025-12-18

Assigner: MITRE

Description
An issue was discovered in Wekan The Open Source kanban board system up to version 18.15, fixed in 18.16. Unauthenticated attackers can update a board's "sort" value (Boards.allow returns true without verifying userId), allowing arbitrary reordering of boards.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-65779
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wekan_project wekan to 8.16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Wekan up to version 18.15 allows unauthenticated attackers to update a board's "sort" value because the Boards.allow function returns true without verifying the user's identity. This means attackers can arbitrarily reorder boards without being logged in or authorized. The issue was fixed in version 18.16 by introducing a strict authorization policy that only allows authenticated users who are members of a board to update the board's sort order. [1]

Impact Analysis

This vulnerability can impact you by allowing unauthorized users to change the order of boards in your Wekan instance. This could lead to confusion, disruption of workflow, and potential manipulation of board organization, which may affect productivity and the integrity of your project management data. [1]

Detection Guidance

Detection can focus on monitoring unauthorized update attempts to the board's 'sort' field without proper authentication or membership. Since the vulnerability involves unauthenticated users updating board sorting, you can check server logs or API request logs for update requests to the board resource that include the 'sort' field from unauthenticated sources or users not listed as board members. Specific commands depend on your logging setup, but for example, if you have access to logs, you might use commands like: 1. grep or similar to find update requests containing 'sort' field: `grep 'update.*sort' /path/to/wekan/logs` 2. Filter for unauthenticated or anonymous user IDs in logs. 3. Monitor API endpoints for update requests to boards and verify user authentication status. There is no explicit command provided in the resources, but focusing on logs for unauthorized 'sort' updates is recommended. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Wekan to version 18.16 or later, where the vulnerability is fixed. The fix enforces strict authorization policies that allow only authenticated users who are members of a board to update the board's 'sort' field. Until the upgrade is applied, you should restrict access to the Wekan instance to trusted users only and monitor for suspicious update attempts to the board sorting order. Applying the patch from commit ea310d7 or upgrading to the fixed version is the recommended action. [1, 3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-65779. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart