Description
Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.
Published: 2026-02-07
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized migration and data modification
Action: Immediate Patch
AI Analysis

Impact

This vulnerability allows non-administrative users to invoke the migration functionality because the application performs insufficient permission checks. The result is that an attacker who is logged in with any valid account can initiate migration processes that may alter, delete, or reorganize board data, thereby compromising data integrity and potentially service continuity.

Affected Systems

WeKan board instances running any version prior to 8.20 are affected. The flaw is embedded in the core migration module of the platform, which can be accessed via the web interface by all authenticated users. Admin privileges are not enforced when the migration API endpoint is called.

Risk and Exploitability

The CVSS score of 7.1 signals a medium‑to‑high severity, while the EPSS score of less than 1 % indicates that the likelihood of public exploitation is currently low. The flaw requires only an authenticated regular user, which an attacker can leverage via a web session or automated script from any remote machine with network access to the WeKan instance. The vulnerability is not listed in the CISA KEV catalog, and no effective exploits have been reported yet.

Generated by OpenCVE AI on April 17, 2026 at 22:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade WeKan to version 8.20 or later to receive the vendor‑fixed permission checks.
  • Restrict access to the migration endpoint by configuring role‑based permissions so that only administrators or specifically granted users can invoke it, ensuring that the OWASP Access Control checklist directive is met.
  • After applying the fix, verify that the permission check is enforced by attempting to access the migration functionality with a non‑admin account and confirming that access is denied.

Generated by OpenCVE AI on April 17, 2026 at 22:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 22:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 09 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wekan Project
Wekan Project wekan
Vendors & Products Wekan Project
Wekan Project wekan

Sat, 07 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Description Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations.
Title WeKan < 8.20 Migration Functionality Insufficient Permission Checks
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Wekan Project Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:54.738Z

Reserved: 2026-02-06T19:12:03.463Z

Link: CVE-2026-25859

cve-icon Vulnrichment

Updated: 2026-02-09T16:56:36.395Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-07T22:16:02.910

Modified: 2026-02-10T21:54:37.703

Link: CVE-2026-25859

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:15:29Z

Weaknesses