CVE-2026-25562
📋 TL;DR
WeKan versions before 8.19 have an information disclosure vulnerability where attachment metadata can be accessed by unauthorized users. This occurs because the attachments publication doesn't properly scope results to boards and cards accessible to the requesting user. All WeKan instances running vulnerable versions are affected.
💻 Affected Systems
- WeKan
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate all attachment metadata across all boards, potentially revealing sensitive file names, upload dates, and board/card relationships that should be private.
Likely Case
Unauthorized users accessing metadata about attachments in boards they shouldn't have access to, potentially learning about sensitive projects or files.
If Mitigated
Limited exposure of non-sensitive metadata with proper access controls and monitoring in place.
🎯 Exploit Status
Exploitation requires authenticated access but minimal technical skill to access unauthorized metadata.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.19 and later
Vendor Advisory: https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820
Restart Required: Yes
Instructions:
1. Backup your WeKan instance. 2. Update to WeKan version 8.19 or later. 3. Restart the WeKan service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable attachments feature
allTemporarily disable the attachments feature to prevent metadata disclosure
Modify WeKan configuration to disable attachments upload
Restrict user access
allImplement strict access controls and limit user permissions
Review and tighten board/card permissions in WeKan
🧯 If You Can't Patch
- Implement network segmentation to isolate WeKan instance
- Enable detailed logging and monitor for unusual attachment metadata access patterns
🔍 How to Verify
Check if Vulnerable:
Check WeKan version via admin interface or by examining the running container/installationCheck Version:
Check WeKan web interface admin panel or docker inspect for version informationVerify Fix Applied:
Confirm version is 8.19 or later and test that authenticated users cannot access attachment metadata from boards they don't have permission to view📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of attachment metadata requests from users
- Requests for attachment data from boards the user shouldn't access
Network Indicators:
- Increased API calls to attachments endpoints from single users
SIEM Query:
source="wekan" AND (event="attachment_metadata" OR endpoint="/api/attachments") AND user NOT IN authorized_users