CVE-2025-65779
📋 TL;DR
CVE-2025-65779 is an improper access control vulnerability in Wekan that allows unauthenticated attackers to modify the sort order of boards. This affects all Wekan deployments running versions up to 18.15. The vulnerability exists because the Boards.allow method returns true without verifying user identity.
💻 Affected Systems
- Wekan
📦 What is this software?
Wekan by Wekan Project
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disrupt board organization for all users, potentially causing operational confusion and productivity loss in teams relying on Wekan for project management.
Likely Case
Unauthenticated attackers reorder boards, causing minor disruption to workflow organization without data loss or privilege escalation.
If Mitigated
With proper network segmentation and authentication requirements, impact is limited to internal users with access to the application.
🎯 Exploit Status
The vulnerability requires minimal technical skill to exploit as it involves unauthenticated API calls to modify board sort values.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 18.16
Vendor Advisory: https://wekan.fi/hall-of-fame/spacebleed/
Restart Required: Yes
Instructions:
1. Backup your Wekan data and configuration. 2. Update Wekan to version 18.16 or later using your deployment method (Docker, Snap, or source). 3. Restart the Wekan service. 4. Verify the update was successful by checking the version.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to Wekan to trusted networks only using firewall rules
iptables -A INPUT -p tcp --dport 3000 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP
🧯 If You Can't Patch
- Implement network-level authentication (VPN, reverse proxy with authentication) before Wekan access
- Monitor for unusual API calls to board sort endpoints from unauthenticated sources
🔍 How to Verify
Check if Vulnerable:
Check Wekan version via admin panel or by examining the running container/process. If version is 18.15 or earlier, the system is vulnerable.Check Version:
docker exec wekan-app cat /build/programs/server/package.json | grep versionVerify Fix Applied:
After updating, verify the version shows 18.16 or later and test that unauthenticated requests to modify board sort values are rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthenticated POST/PUT requests to /api/boards/*/sort endpoints
- Failed authentication attempts followed by board modification requests
Network Indicators:
- Unusual traffic patterns to board sort API endpoints from external IPs
- Multiple rapid requests to modify board organization
SIEM Query:
source="wekan-logs" AND (uri_path="/api/boards/*/sort" AND http_method="POST" OR http_method="PUT") AND user_id="null"