Description
WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships.
Published: 2026-02-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Bypassing validation of attachment upload object relationships allows unauthorized attachments to be associated with arbitrary cards or boards.
Action: Immediate Patch
AI Analysis

Impact

WeKan releases before version 8.19 lack proper authorization checks in the attachment upload API. The API does not verify that the IDs supplied for board, card, swimlane, and list are consistent and refer to a legitimate, related set of objects. As a result, a user can upload an attachment and reference identifiers that do not belong together, effectively attaching data to objects that belong to other boards or users. This potential leak of information or unauthorized modification is an instance of the CWE-863 authorization bypass weakness, which could compromise confidentiality, integrity, and availability of the data stored on the system.

Affected Systems

All installations of the WeKan project platform running versions earlier than 8.19 are vulnerable. This includes any deployment of the WeKan web application where users have access to the attachment upload API. No specific server or operating system versions are mentioned; the flaw resides purely in the application code.

Risk and Exploitability

The CVSS score of 7.1 reflects a medium to high severity risk. EPSS indicates an exploitation probability of less than 1%, suggesting that only a few attackers would target this issue, and the vulnerability is not currently listed in the CISA KEV catalog. Attackers would need to use the attachment upload API. Once validated, the attacker could inject attachments into unrelated cards or boards, which may lead to data exposure or other unintended effects. Overall, the risk is moderate but tangible, especially for installations with exposed APIs.

Generated by OpenCVE AI on April 17, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WeKan version 8.19 or later to apply the fix that properly validates object relationships in the attachment upload API.
  • If an upgrade is not immediately possible, restrict API access to strictly authenticated users with least‑privilege permissions and add explicit server‑side checks that board, card, swimlane, and list identifiers all belong to the same hierarchy before accepting an attachment upload.
  • Monitor logs for attachment uploads that reference mismatched identifiers and investigate any anomalous activity to detect exploitation attempts.

Generated by OpenCVE AI on April 17, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Sat, 07 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships.
Title WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:46.691Z

Reserved: 2026-02-02T20:12:33.396Z

Link: CVE-2026-25561

cve-icon Vulnrichment

Updated: 2026-02-10T16:21:00.405Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:01.490

Modified: 2026-02-10T22:02:06.320

Link: CVE-2026-25561

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses