CVE-2026-25565
Authorization Bypass in WeKan Card Update API Allows Unauthorized Modifications
Publication date: 2026-02-07
Last updated on: 2026-02-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
I don't know
Can you explain this vulnerability to me?
This vulnerability exists in WeKan versions prior to 8.19 and involves an authorization flaw. Specifically, certain card update API paths incorrectly check only for board read access instead of requiring write permission. As a result, users who have read-only roles can perform card updates that should normally require write access.
How can this vulnerability impact me? :
The impact of this vulnerability is that users with read-only access can make unauthorized changes to cards within the WeKan application. This could lead to unauthorized modifications of data, potentially compromising the integrity of information managed through the platform.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know