CVE-2026-25560
📋 TL;DR
CVE-2026-25560 is an LDAP filter injection vulnerability in WeKan versions before 8.19. Attackers can manipulate LDAP queries during authentication by injecting malicious filters through username input, potentially bypassing authentication or extracting sensitive directory information. Organizations using WeKan with LDAP authentication are affected.
💻 Affected Systems
- WeKan
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete LDAP directory compromise allowing authentication bypass, privilege escalation, and extraction of sensitive user/group data from the LDAP server.
Likely Case
Authentication bypass allowing unauthorized access to WeKan boards and data, or limited LDAP information disclosure.
If Mitigated
Failed authentication attempts logged, no access granted, but LDAP query manipulation may still be detectable.
🎯 Exploit Status
Exploitation requires access to login interface but no prior authentication. LDAP filter injection is well-understood attack vector.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.19 and later
Vendor Advisory: https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb
Restart Required: Yes
Instructions:
1. Backup your WeKan instance and database. 2. Update WeKan to version 8.19 or later using your deployment method (Docker, Snap, etc.). 3. Restart the WeKan service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable LDAP Authentication
allTemporarily switch to local authentication or OAuth until patching is possible
Edit WeKan configuration to disable LDAP and enable alternative authentication method
Network Segmentation
allRestrict access to WeKan login interface and LDAP server communication
Configure firewall rules to limit source IPs that can access WeKan login and LDAP ports
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) with LDAP injection detection rules
- Enable detailed logging for all authentication attempts and monitor for unusual patterns
🔍 How to Verify
Check if Vulnerable:
Check WeKan version and LDAP configuration. If version < 8.19 and LDAP authentication is enabled, system is vulnerable.Check Version:
docker exec wekan-app node -e "console.log(require('/app/package.json').version)" (for Docker) or check package.json versionVerify Fix Applied:
Confirm WeKan version is 8.19 or later and test LDAP authentication with various username inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual LDAP query patterns in authentication logs
- Failed login attempts with special characters in username field
- LDAP error messages containing injected filter syntax
Network Indicators:
- Multiple authentication attempts with varying username parameters
- Unusual LDAP query response sizes
SIEM Query:
source="wekan" AND ("LDAP" OR "authentication") AND ("error" OR "failed") AND username=*[()&|!*]