CVE-2026-25563
7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WeKan | WeKan | 0 < 8.19 | affected |
Weaknesses
- CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14
- https://wekan.fi/
- https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.