Description
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.
Published: 2026-02-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass allowing unauthorized cross‑board card movement
Action: Patch
AI Analysis

Impact

The vulnerability resides in the card move logic of WeKan and is categorized as an authorization error (CWE‑863). A properly authenticated user can force a card to move to any board, list, or swimlane without the necessary permission checks against the destination. Consequently, an attacker who can control the destination parameters could transfer cards across boards they do not own, potentially leaking sensitive information or disrupting workflows.

Affected Systems

WeKan releases prior to version 8.19 are affected. The issue is present in the core code base and can be exercised by any user who has access to the application, regardless of the board to which they intend to move the card.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact security flaw. The exploit probability is very low (EPSS < 1%) and the vulnerability is not listed in CISA's KEV catalog, suggesting it has not been widely exploited yet. The likely attack vector involves a user interacting with the application UI or API to submit a move request with a fabricated destination. A successful exploit would grant the attacker the ability to move cards in ways they are not authorized to, compromising confidentiality and integrity of data across boards.

Generated by OpenCVE AI on April 17, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeKan to version 8.19 or later, which removes the missing authorization checks in the card move logic.
  • Restrict card move permissions so only users who have authorized access to both the source and destination boards can perform moves; review and adjust role assignments accordingly.
  • logging for move actions and monitor audit logs for unusual cross‑board card movements, reviewing suspicious activity promptly.

Generated by OpenCVE AI on April 17, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Sat, 07 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.
Title WeKan < 8.19 Cross-board Card Move Without Destination Authorization
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:50.546Z

Reserved: 2026-02-02T20:12:33.397Z

Link: CVE-2026-25566

cve-icon Vulnrichment

Updated: 2026-02-10T16:27:17.684Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:02.190

Modified: 2026-02-18T20:43:46.980

Link: CVE-2026-25566

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses