WeKan < 8.35 Missing Authorization via Integration REST API

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Description

WeKan before 8.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.

AI Analysis

Missing authorization vulnerability in WeKan's Integration REST API

Basic Information

ID CVE-2026-41454

Source VulnCheck

Published Apr 22, 2026 at 21:08

Modified Apr 22, 2026 at 21:12

Affected Product

Vendor wekan

Product wekan

Affected Versions wekan wekan 0

CWE Classification

CWE-862

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor WeKan

Product WeKan

Version < 8.35

References

{
    "lastseen": "",
    "description": "WeKan before\u00a08.35 contains a missing authorization vulnerability in the Integration REST API endpoints that allows authenticated board members to perform administrative actions without proper privilege verification. Attackers can enumerate integrations including webhook URLs, create new integrations, modify or delete existing integrations, and manage integration activities by exploiting insufficient authorization checks in the JsonRoutes REST handlers.",
    "published": "2026-04-22T21:08:38.616Z",
    "modified": "2026-04-22T21:12:36.834Z",
    "type": "cve",
    "title": "WeKan < 8.35 Missing Authorization via Integration REST API",
    "source": "VulnCheck",
    "references": "https://github.com/wekan/wekan/releases/tag/v8.35\nhttps://github.com/wekan/wekan/commit/2cd702f48df2b8aef0e7381685f8e089986a18a4\nhttps://www.vulncheck.com/advisories/wekan-missing-authorization-via-integration-rest-api",
    "id": "CVE-2026-41454",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "wekan wekan 0",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "wekan",
    "version": "0",
    "vendor": "wekan",
    "ai_description": "Missing authorization vulnerability in WeKan's Integration REST API",
    "ai_severity": "High",
    "ai_vendor": "WeKan",
    "ai_product": "WeKan",
    "ai_version": "< 8.35",
    "ai_score": 8.7
}

WeKan < 8.35 Missing Authorization via Integration REST API_CVE-2026-41454