CVE-2026-25564
📋 TL;DR
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in WeKan versions before 8.19. Attackers can manipulate checklist identifiers to access or modify checklists across different boards without proper authorization. All WeKan instances running vulnerable versions are affected.
💻 Affected Systems
- WeKan
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could delete, modify, or create checklists across all boards in the system, potentially disrupting workflows and causing data loss.
Likely Case
Unauthorized access to checklist data across boards, allowing attackers to view or tamper with checklist items they shouldn't have access to.
If Mitigated
Minimal impact with proper access controls and monitoring in place, though the vulnerability still exists.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.19 and later
Vendor Advisory: https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac
Restart Required: Yes
Instructions:
1. Backup your WeKan data. 2. Update WeKan to version 8.19 or later. 3. Restart the WeKan service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Temporary Access Restriction
allRestrict access to WeKan to trusted users only while planning the update.
🧯 If You Can't Patch
- Implement strict network segmentation to limit WeKan access to authorized users only.
- Enable detailed logging and monitoring for suspicious checklist-related activities.
🔍 How to Verify
Check if Vulnerable:
Check WeKan version via admin panel or by examining the deployment. If version is below 8.19, it is vulnerable.Check Version:
Check WeKan web interface admin panel or docker inspect for version information.Verify Fix Applied:
After updating, confirm the version is 8.19 or higher and test checklist functionality across boards.📡 Detection & Monitoring
Log Indicators:
- Unusual checklist creation/modification patterns across different board IDs
- Failed authorization attempts on checklist routes
Network Indicators:
- Unusual API calls to checklist endpoints with mismatched board/card IDs
SIEM Query:
source="wekan" AND (event="checklist_create" OR event="checklist_modify") AND board_id != expected_board_id