Description
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
Published: 2026-02-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data manipulation via insecure direct object reference
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in older WeKan releases allows an attacker to create or modify checklists by manipulating card identifiers that are not verified against the associated board. The flaw is an insecure direct object reference, meaning that malicious users can tailor requests to reference objects belonging to other boards. This can lead to unauthorized data modification or insertion, potentially exposing or altering information without permission. The weakness is classified as CWE‑639.

Affected Systems

All WeKan deployments running a version earlier than 8.19 are affected. The issue resides in the checklist creation endpoint and related routes that do not enforce ownership checks between cardId and boardId. System administrators should evaluate their current version and whether any boards contain sensitive or restricted data that could be exposed through this flaw.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.1, indicating a moderate to high severity. Exploitation probability is low, with an EPSS score of less than 1%, and the flaw is not listed in the CISA KEV catalog. The likely attack path involves authenticated users sending crafted API requests or URLs that reference arbitrary cardIds on other boards. Adequate authentication is required, but once authenticated, an attacker can exploit the missing reference checks to tamper with cross‑board checklists.

Generated by OpenCVE AI on April 17, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to WeKan version 8.19 or later, which removes the unsafe reference validation.
  • Confirm that all checklist-related endpoints enforce that the supplied cardId belongs to the supplied boardId; if not, implement additional checks on the server side.
  • If an immediate upgrade is not possible, restrict API access to trusted users or network segments and monitor for anomalous checklist creation or editing activity across boards.

Generated by OpenCVE AI on April 17, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Sat, 07 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
Title WeKan < 8.19 Checklist Creation Cross-Board IDOR
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:48.221Z

Reserved: 2026-02-02T20:12:33.396Z

Link: CVE-2026-25563

cve-icon Vulnrichment

Updated: 2026-02-10T16:23:43.894Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:01.767

Modified: 2026-02-10T21:59:34.797

Link: CVE-2026-25563

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses