Login Sign Up

CVE-2025-65780

8.8 HIGH
Authentication Bypass

📋 TL;DR

Authenticated users in Wekan versions up to 18.15 can modify their entire user document, including organization/team memberships and account status fields, due to missing server-side authorization checks. This allows privilege escalation and unauthorized access to other teams and organizations. All Wekan instances running vulnerable versions are affected.

💻 Affected Systems

Products:
  • Wekan
Versions: All versions up to 18.15
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: All Wekan deployments are vulnerable if running affected versions. No special configuration required.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker could grant themselves administrative privileges, disable other users' accounts, access all organizations/teams, and potentially take full control of the Wekan instance.

🟠

Likely Case

Malicious users or compromised accounts escalate privileges to access restricted teams/organizations, steal sensitive kanban data, or disrupt operations by disabling other users.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to unauthorized access within the Wekan application scope.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in the user update API endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.16

Vendor Advisory: https://wekan.fi/hall-of-fame/spacebleed/

Restart Required: Yes

Instructions:

1. Backup your Wekan data and configuration. 2. Update Wekan to version 18.16 or later using your deployment method (Docker, Snap, etc.). 3. Restart the Wekan service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict User Update API

all

Implement a web application firewall or reverse proxy rule to block or monitor requests to user update endpoints.

🧯 If You Can't Patch

  • Implement strict network access controls to limit Wekan access to trusted users only.
  • Enable detailed logging of all user modification actions and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check your Wekan version. If it's 18.15 or earlier, you are vulnerable.

Check Version:

Check the Wekan admin panel or run: docker inspect wekan/wekan | grep WEKAN_VERSION

Verify Fix Applied:

After updating, confirm the version is 18.16 or later and test that user profile updates are properly restricted.

📡 Detection & Monitoring

Log Indicators:

  • Unusual user document modifications
  • Multiple privilege escalation attempts
  • User accounts being disabled unexpectedly

Network Indicators:

  • HTTP POST/PUT requests to user update endpoints with unusual parameters

SIEM Query:

source="wekan" AND (event="user_update" OR event="profile_update") AND (params INCLUDES "loginDisabled" OR params INCLUDES "orgs")

📊 Metadata

CVE ID: CVE-2025-65780
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-284
EPSS Score: 0.05% exploit probability (16.9th percentile)
Published: December 15, 2025
Last Updated: December 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65780, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)