WeKan < 8.19 Read-only Board Roles Can Update Cards

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.

Basic Information

ID CVE-2026-25565

Source VulnCheck

Published Feb 7, 2026 at 21:58

Affected Product

Vendor WeKan

Product WeKan

Affected Versions WeKan WeKan 0

CWE Classification

CWE-863

References

{
    "lastseen": "",
    "description": "WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access.",
    "published": "2026-02-07T21:58:13.152Z",
    "modified": "2026-02-07T21:58:13.152Z",
    "type": "cve",
    "title": "WeKan < 8.19 Read-only Board Roles Can Update Cards",
    "source": "VulnCheck",
    "references": "https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285\nhttps://wekan.fi/\nhttps://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards",
    "id": "CVE-2026-25565",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "WeKan WeKan 0",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WeKan",
    "version": "0",
    "vendor": "WeKan",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

WeKan < 8.19 Read-only Board Roles Can Update Cards_CVE-2026-25565