Description
WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.
Published: 2026-02-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Write Access to Cards in WeKan Boards
Action: Patch Immediately
AI Analysis

Impact

WeKan versions before 8.19 suffer from an authorization flaw that causes the card update API to perform only a board read‑access check instead of verifying the user’s write permission. This means any user granted just a read‑only role on a board can modify card details such as titles, content, and timestamps. The weakness is a classic case of insufficient authorization (CWE‑863), leading to integrity violations within project boards.

Affected Systems

The vulnerability affects the WeKan project’s board management functionality in all releases prior to 8.19. Users who interact with a WeKan board via the web interface or the API may be impacted if they have been assigned a read‑only board role.

Risk and Exploitability

The CVSS base score of 7.1 reflects a high severity due to the potential for significant data tampering. The EPSS score is reported as < 1 %, indicating that, at the time of assessment, the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to combine legitimate authentication with the exposed API endpoints that permit card updates, indicating a remote, “network” level attack vector that is inferred from the API context. Successful exploitation could allow an attacker to alter project data or undermine board integrity, potentially compromising project workflow and reporting.

Generated by OpenCVE AI on April 16, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeKan to version 8.19 or later to install the vendor‑provided fix.
  • Review role definitions to ensure read‑only users do not possess write permissions on any boards; enforce least privilege principles.
  • If an upgrade cannot be performed immediately, isolate or disable unsecured card‑update API endpoints for users lacking explicit write rights, or restrict their network access to those endpoints.

Generated by OpenCVE AI on April 16, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Sat, 07 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.
Title WeKan < 8.19 Read-only Board Roles Can Update Cards
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:49.734Z

Reserved: 2026-02-02T20:12:33.396Z

Link: CVE-2026-25565

cve-icon Vulnrichment

Updated: 2026-02-10T16:26:37.890Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:02.043

Modified: 2026-02-10T21:57:16.657

Link: CVE-2026-25565

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:30:26Z

Weaknesses