CVE-2026-25565
📋 TL;DR
This CVE describes an authorization vulnerability in WeKan where users with read-only board roles can perform card updates that should require write permissions. The vulnerability affects WeKan instances where users have been assigned read-only access to boards. This allows unauthorized modification of card content, labels, assignments, and other attributes.
💻 Affected Systems
- WeKan
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Read-only users could modify critical card data, delete cards, or manipulate workflow states, potentially disrupting project management and causing data integrity issues.
Likely Case
Read-only users inadvertently or intentionally modifying card details they shouldn't have access to change, leading to data inconsistencies and workflow disruptions.
If Mitigated
Minimal impact if proper role-based access controls are enforced and users only have appropriate permissions.
🎯 Exploit Status
Exploitation requires authenticated user with read-only board access. The vulnerability is straightforward to exploit once identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.19 and later
Vendor Advisory: https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285
Restart Required: Yes
Instructions:
1. Backup your WeKan instance and database. 2. Update WeKan to version 8.19 or later using your deployment method (Docker, Snap, or source). 3. Restart the WeKan service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Temporary role adjustment
allTemporarily remove read-only board roles or upgrade users to write roles if they need to perform updates
🧯 If You Can't Patch
- Review and audit all user board permissions, removing unnecessary read-only access
- Implement additional monitoring for card update activities from read-only users
🔍 How to Verify
Check if Vulnerable:
Check WeKan version via admin panel or by examining the deployment. If version is below 8.19, the system is vulnerable.Check Version:
Check WeKan admin panel or run: docker inspect wekan/wekan | grep WEKAN_VERSION or check package version in your deploymentVerify Fix Applied:
After updating to 8.19+, test that read-only users cannot perform card updates on boards where they only have read access.📡 Detection & Monitoring
Log Indicators:
- API calls to card update endpoints from users with read-only roles
- Unexpected card modifications from users with limited permissions
Network Indicators:
- POST/PUT requests to /api/boards/*/cards/* endpoints from unauthorized users
SIEM Query:
source="wekan" AND (event="card-update" OR event="card-modified") AND user_role="read-only"