Description
A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack may be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. Upgrading to version 8.21 mitigates this issue. The name of the patch is cabfeed9a68e21c469bf206d8655941444b9912c. It is suggested to upgrade the affected component.
Published: 2026-02-04
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access / Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The setBoardOrgs API endpoint in WeKan’s REST interface accepts payloads that include the fields item.cardId, item.checklistId, and card.boardId. Because the server does not properly validate the caller’s authorization for these fields, a crafted request can cause the platform to modify board or organizational data that the attacker should not control. This failure of access control allows a remote actor to elevate privileges and manipulate content within the application.

Affected Systems

WeKan, the task‑management web application, is affected in all releases up to and including 8.20. The vulnerability was addressed in release 8.21, which incorporates the patch commit cabfeed9a68e21c469bf206d8655941444b9912c. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity, and the EPSS rating of less than 1% denotes a very small likelihood of exploitation in the wild. The vulnerability is remote but requires high complexity and is reported as difficult to exploit. It is not currently listed in the CISA KEV catalog, which further suggests that it is not a widely exploited flaw at present.

Generated by OpenCVE AI on April 17, 2026 at 23:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeKan to version 8.21 or later, which contains the patch identified by commit cabfeed9a68e21c469bf206d8655941444b9912c.
  • If an immediate upgrade is not possible, restrict access to the affected REST API endpoint so that only authenticated users with appropriate roles can invoke setBoardOrgs.
  • Verify that the application configuration enforces strict role‑based access control on the card, checklist, and board identifiers before processing setBoardOrgs requests.
  • Continuously monitor authentication and application logs for unusual calls to setBoardOrgs and investigate any unauthorized attempts.

Generated by OpenCVE AI on April 17, 2026 at 23:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Wed, 04 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack may be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. Upgrading to version 8.21 mitigates this issue. The name of the patch is cabfeed9a68e21c469bf206d8655941444b9912c. It is suggested to upgrade the affected component.
Title WeKan REST API boards.js setBoardOrgs improper authorization
Weaknesses CWE-266
CWE-285
References
Metrics cvssV2_0

{'score': 4.6, 'vector': 'AV:N/AC:H/Au:S/C:P/I:P/A:P/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 5, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-02-23T09:16:53.549Z

Reserved: 2026-02-04T14:33:34.302Z

Link: CVE-2026-1892

cve-icon Vulnrichment

Updated: 2026-02-05T15:07:26.285Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-04T22:15:58.110

Modified: 2026-02-10T17:45:33.370

Link: CVE-2026-1892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses