WeKan versions prior to 8.19 contain an insecure direct object reference in checklist routes that fails to confirm that the card ID supplied belongs to the board ID supplied. This missing authorization check allows an attacker to tamper with identifiers and potentially delete or modify a checklist on a board that the user does not own, thereby compromising data integrity. The vulnerability is a classic IDOR flaw catalogued as CWE‑639.

The issue affects the WeKan project’s task management platform, specifically all releases before version 8.19. Administrators should verify whether their current deployment matches any of these affected versions and note that the problem is present in the core application code for checklist handling.

The CVSS score of 7.1 indicates a high impact vulnerability, while the EPSS score of less than one percent suggests a very low likelihood of exploitation in the wild at this time. As the flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, there is no indication of active exploitation. An attacker can trigger the flaw by sending crafted HTTP requests with a forged cardId and boardId, a method typically available to any authenticated user with access to the WeKan interface. Based on the description, it is inferred that the attack vector is remote over the network, requiring only knowledge of vulnerable endpoint parameters.