CVE-2026-25567
Unknown
Unknown - Not Provided
IDOR Vulnerability in WeKan Card Comment API Allows Author Spoofing
Publication date: 2026-02-07
Last updated on: 2026-02-10
Assigner: VulnCheck
Description
Description
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wekan_project | wekan | to 8.19 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
