CVE-2026-25567
5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WeKan | WeKan | 0 < 8.19 | affected |
Weaknesses
- CWE-639: CWE-639 Authorization Bypass Through User-Controlled Key
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d
- https://wekan.fi/
- https://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.