Description
WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.
Published: 2026-02-07
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: LDAP authentication filter injection allows an attacker to manipulate LDAP queries during login, potentially bypassing authentication and accessing restricted information
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows a malicious user to inject arbitrary LDAP filter content by supplying crafted usernames. This can alter the LDAP query executed during authentication, enabling an attacker to cause the system to authenticate without legitimate credentials or to retrieve unauthorized data.

Affected Systems

All deployed versions of WeKan before 8.19 are affected. The issue is present in the WeKan product from the WeKan project, with no specific build or patch level mentioned beyond the 8.19 cutoff.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, while the EPSS score of <1% signals a very low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote access to the application’s authentication endpoint and the ability to supply a crafted username, which is commonly available to external attackers once the service is exposed over the network.

Generated by OpenCVE AI on April 16, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeKan to version 8.19 or later, which contains the LDAP filter escaping fix provided in the official patch
  • For environments where an immediate upgrade is not feasible, sanitize all user‑supplied username input by escaping LDAP control characters (e.g., *, ), and enforce a strict alphanumeric policy for usernames
  • Apply network controls to restrict LDAP authentication traffic to known, trusted hosts and monitor authentication logs for anomalous query patterns

Generated by OpenCVE AI on April 16, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Sat, 07 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.
Title WeKan < 8.19 LDAP Authentication Filter Injection
Weaknesses CWE-90
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:45.835Z

Reserved: 2026-02-02T20:12:33.396Z

Link: CVE-2026-25560

cve-icon Vulnrichment

Updated: 2026-02-10T16:19:50.709Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:01.347

Modified: 2026-02-10T22:03:03.880

Link: CVE-2026-25560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses