CVE-2026-25561
📋 TL;DR
This vulnerability in WeKan allows attackers to upload attachments to arbitrary locations by exploiting inconsistent validation of object relationships in the attachment upload API. Attackers can bypass authorization checks by providing mismatched board, card, swimlane, and list identifiers. All WeKan instances running versions before 8.19 are affected.
💻 Affected Systems
- WeKan
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious files to any board/card in the system, potentially leading to data exfiltration, unauthorized access to sensitive information, or serving malicious content to users.
Likely Case
Unauthorized users could upload attachments to boards/cards they shouldn't have access to, compromising data integrity and potentially exposing sensitive information.
If Mitigated
With proper network segmentation and access controls, impact would be limited to the WeKan application itself without lateral movement to other systems.
🎯 Exploit Status
Exploitation requires authenticated access but the vulnerability is in authorization logic, making it relatively easy to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.19 and later
Vendor Advisory: https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8
Restart Required: Yes
Instructions:
1. Backup your WeKan instance and data. 2. Update WeKan to version 8.19 or later using your deployment method (Docker, Snap, or source). 3. Restart the WeKan service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Attachment Uploads
allTemporarily disable attachment upload functionality in WeKan configuration
Edit WeKan configuration to set ATTACHMENTS_UPLOAD_ENABLED=false
Restrict API Access
allImplement network-level restrictions to limit access to the attachment upload API endpoints
Configure firewall rules to restrict access to /api/boards/*/cards/*/attachments endpoints
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual attachment upload patterns
- Deploy a web application firewall (WAF) with rules to detect and block suspicious API calls to attachment endpoints
🔍 How to Verify
Check if Vulnerable:
Check WeKan version via admin panel or by examining the running container/process. If version is below 8.19, the system is vulnerable.Check Version:
docker exec wekan-container node -p "require('./package.json').version" or check Admin Panel → VersionVerify Fix Applied:
After updating, verify the version is 8.19 or higher and test that attachment uploads now properly validate object relationships.📡 Detection & Monitoring
Log Indicators:
- Unusual attachment upload patterns
- API calls to /api/boards/*/cards/*/attachments with mismatched IDs
- Failed authorization attempts on attachment endpoints
Network Indicators:
- HTTP POST requests to attachment upload endpoints with inconsistent board/card/swimlane/list parameters
SIEM Query:
source="wekan" AND (uri_path="/api/boards/*/cards/*/attachments" OR message="attachment upload") AND (status=200 OR status=403)