WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Description

WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.

Basic Information

ID CVE-2026-25567

Source VulnCheck

Published Feb 7, 2026 at 21:58

Affected Product

Vendor WeKan

Product WeKan

Affected Versions WeKan WeKan 0

CWE Classification

CWE-639

References

{
    "lastseen": "",
    "description": "WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user's identifier.",
    "published": "2026-02-07T21:58:53.680Z",
    "modified": "2026-02-07T21:58:53.680Z",
    "type": "cve",
    "title": "WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId",
    "source": "VulnCheck",
    "references": "https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d\nhttps://wekan.fi/\nhttps://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid",
    "id": "CVE-2026-25567",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "WeKan WeKan 0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WeKan",
    "version": "0",
    "vendor": "WeKan",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

WeKan < 8.19 Card Comment Author Spoofing via User-controlled authorId_CVE-2026-25567