WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships.

Basic Information

ID CVE-2026-25561

Source VulnCheck

Published Feb 7, 2026 at 21:56

Affected Product

Vendor WeKan

Product WeKan

Affected Versions WeKan WeKan 0

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships.",
    "published": "2026-02-07T21:56:52.408Z",
    "modified": "2026-02-07T21:56:52.408Z",
    "type": "cve",
    "title": "WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass",
    "source": "VulnCheck",
    "references": "https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8\nhttps://wekan.fi/\nhttps://www.vulncheck.com/advisories/wekan-attachment-upload-object-relationship-validation-bypass",
    "id": "CVE-2026-25561",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "WeKan WeKan 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WeKan",
    "version": "0",
    "vendor": "WeKan",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

WeKan < 8.19 Attachment Upload Object Relationship Validation Bypass_CVE-2026-25561