CVE-2025-65782 – An authorization flaw in Wekan's card update ha... (How to Fix)

Q: What is the severity of CVE-2025-65782?

CVE-2025-65782 has a CVSS score of 6.5 (MEDIUM). An authorization flaw in Wekan's card update handling allows authenticated board members to manipulate vote arrays by adding/removing arbitrary user IDs. This enables vote forgery and unauthorized voting, affecting all Wekan instances running versions up to 18.15.

📋 TL;DR

An authorization flaw in Wekan's card update handling allows authenticated board members to manipulate vote arrays by adding/removing arbitrary user IDs. This enables vote forgery and unauthorized voting, affecting all Wekan instances running versions up to 18.15.

💻 Affected Systems

Products:

Wekan

Versions: All versions up to and including 18.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all Wekan deployments with voting functionality enabled.

📦 What is this software?

Wekan by Wekan Project

View all CVEs affecting Wekan →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious board members could manipulate voting outcomes on critical decisions, compromise board integrity, and potentially escalate privileges by manipulating administrative votes.

🟠

Likely Case

Board members manipulating votes to influence decisions, create false consensus, or disrupt collaborative workflows.

🟢

If Mitigated

Limited to authenticated users with board access, with minimal impact if voting features are not heavily used.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to a board, but manipulation is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.16

Vendor Advisory: https://wekan.fi/hall-of-fame/spacebleed/

Restart Required: Yes

Instructions:

1. Backup your Wekan data and configuration. 2. Update Wekan to version 18.16 or later using your package manager or deployment method. 3. Restart the Wekan service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable voting functionality

all

Temporarily disable voting features to prevent exploitation while planning upgrade.

Modify Wekan configuration to disable voting (specific method depends on deployment)

🧯 If You Can't Patch

Restrict board access to trusted users only and monitor for unusual voting patterns.
Implement network segmentation to isolate Wekan instances from critical systems.

🔍 How to Verify

Check if Vulnerable:

Check Wekan version via admin panel or by examining the running container/process. Versions ≤18.15 are vulnerable.

Check Version:

Check Wekan admin interface or run: docker inspect wekan/wekan | grep WEKAN_VERSION (if using Docker)

Verify Fix Applied:

Confirm version is 18.16 or later and test that board members cannot manipulate other users' votes.

📡 Detection & Monitoring

Log Indicators:

Unusual vote manipulation patterns in Wekan logs
Multiple vote updates from single user in short timeframe

Network Indicators:

HTTP POST requests to card update endpoints with modified vote arrays

SIEM Query:

source="wekan" AND (message="vote.positive" OR message="vote.negative") AND user_id!="current_user"

📊 Metadata

CVE ID: CVE-2025-65782

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-285

EPSS Score: 0.04% exploit probability (10.3th percentile)

Published: December 15, 2025

Last Updated: December 23, 2025

🔗 References

https://github.com/wekan/wekan Product
https://github.com/wekan/wekan/blob/main/CHANGELOG.md#v816-2025-11-02-wekan--release Release Notes
https://github.com/wekan/wekan/commit/0a1a075f3153e71d9a858576f1c68d2925230d9c Patch
https://wekan.fi/hall-of-fame/spacebleed/ Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65782, you might also want to check these: