Description
WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.
Published: 2026-02-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass – Public Board Creation
Action: Upgrade Now
AI Analysis

Impact

The flaw stems from an incomplete enforcement of the instance configuration setting allowPrivateOnly during board creation. When the setting is enabled, the server fails to block the creation of public boards, allowing any authenticated user with board‑creation privileges to publish a board publicly. This bypass enables the disclosure of data that should remain private and undermines the intended privacy controls of the system. The weakness is identified as CWE‑863: Insufficient Authorization Checks.

Affected Systems

WeKan web application versions earlier than 8.19, as used by community and enterprise deployments of the WeKan project, are affected.

Risk and Exploitability

The vulnerability carries a CVSS v3 base score of 7.1, indicating a high impact when exploited. An EPSS score of less than 1 % indicates a low probability of widespread exploitation at this time, and the issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated user with permission to create boards; the attacker would simply submit a board‑creation request via the UI or API while the allowPrivateOnly setting is true. Successful exploitation results in the creation of a public board that can be accessed by anyone, potentially exposing sensitive information.

Generated by OpenCVE AI on April 17, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeKan to version 8.19 or later to apply the corrected enforcement logic
  • Ensure the global configuration file sets allowPrivateOnly to true and verify that the setting is effective
  • Restrict the permission to create boards to administrative or trusted roles until the patch is applied

Generated by OpenCVE AI on April 17, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Mon, 09 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Sat, 07 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
Description WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement.
Title WeKan < 8.19 allowPrivateOnly Setting Enforcement Bypass
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:52.062Z

Reserved: 2026-02-02T20:12:33.397Z

Link: CVE-2026-25568

cve-icon Vulnrichment

Updated: 2026-02-09T16:59:47.323Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:02.467

Modified: 2026-02-10T21:55:34.660

Link: CVE-2026-25568

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses