Description
WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.
Published: 2026-04-22
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Missing Authorization / Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

WeKan versions before 8.35 suffer from a missing authorization flaw in the Integration REST API. Authenticated board members can use the JsonRoutes endpoints to enumerate, create, modify, or delete integrations—including webhook URLs—without proper privilege verification. This flaw falls under CWE‑862 and allows board members to perform actions that should be restricted to administrators, potentially exposing sensitive data or enabling further malicious activity.

Affected Systems

The vulnerability affects the WeKan board management application (WeKan) from vendor wekan. All instance versions below 8.35 are susceptible, while 8.35 and later contain the fix.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity. No EPSS score is available, but the vulnerability is not listed in CISA KEV. The attack vector is inferred to be the REST API, where an attacker only needs authenticated board‑member credentials to manipulate integrations. Once the API is accessed, the attacker can execute administrative actions that are otherwise protected.

Generated by OpenCVE AI on April 27, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WeKan installation to version 8.35 or later to apply the authorization fix.
  • If an upgrade cannot be performed immediately, block or restrict the Integration REST API endpoints using a firewall or reverse‑proxy rule to prevent unauthorized access.
  • Disable or delete any unused integrations and ensure that only users with appropriate admin rights can create or modify integrations.

Generated by OpenCVE AI on April 27, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Wekan
Wekan wekan
Vendors & Products Wekan
Wekan wekan

Wed, 22 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.
Title WeKan < 8.35 Missing Authorization via Integration REST API
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Wekan Wekan
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-23T12:54:36.663Z

Reserved: 2026-04-20T16:07:47.309Z

Link: CVE-2026-41454

cve-icon Vulnrichment

Updated: 2026-04-23T12:54:31.286Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T22:16:32.497

Modified: 2026-04-23T16:27:11.540

Link: CVE-2026-41454

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T18:42:00Z

Weaknesses