CVE-2026-25566
MEDIUM WAF: Low
CVSS 5.4
Published: 2026-02-07
CWE-863
WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves.
WAF Coverage Analysis
Incorrect Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| wekan_project | wekan | up to 8.19 |
References
- github.com (Patch)
- wekan.fi (Product)
- www.vulncheck.com (Third Party Advisory)