CVE-2026-25567
📋 TL;DR
This CVE describes an insecure direct object reference (IDOR) vulnerability in WeKan versions before 8.19. Authenticated users can spoof comment authorship by manipulating the authorId parameter in card comment creation requests, allowing them to impersonate other users in comment attribution. This affects all WeKan instances running vulnerable versions.
💻 Affected Systems
- WeKan
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Malicious insider or compromised account could attribute inappropriate or malicious comments to other users, potentially causing reputation damage, false accusations, or social engineering attacks within the organization.
Likely Case
Users with legitimate access could play pranks or create confusion by making it appear other team members made specific comments, disrupting collaboration and creating attribution confusion.
If Mitigated
With proper logging and user awareness, the impact is limited to attribution confusion rather than data compromise or privilege escalation.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial via API manipulation. No public exploit code identified but trivial to craft.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.19 and later
Vendor Advisory: https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d
Restart Required: Yes
Instructions:
1. Backup your WeKan instance and data. 2. Update WeKan to version 8.19 or later using your deployment method (Docker, Snap, or source). 3. Restart the WeKan service. 4. Verify the update was successful.
🔧 Temporary Workarounds
API Request Validation
allImplement middleware or reverse proxy rules to validate that authorId matches authenticated user ID for comment creation endpoints
🧯 If You Can't Patch
- Implement strict access controls and monitor comment creation logs for authorId mismatches
- Educate users about the vulnerability and establish procedures for verifying comment authorship
🔍 How to Verify
Check if Vulnerable:
Check WeKan version via admin panel or by examining the running container/process. Versions below 8.19 are vulnerable.Check Version:
docker inspect wekan/wekan | grep WEKAN_VERSION || snap info wekan || check WeKan admin interfaceVerify Fix Applied:
After updating to 8.19+, attempt to create a comment with a different user's authorId parameter - this should fail or be ignored.📡 Detection & Monitoring
Log Indicators:
- API requests to comment creation endpoints where authorId parameter differs from authenticated user ID
- Unusual comment attribution patterns
Network Indicators:
- POST requests to /api/boards/*/lists/*/cards/*/comments with manipulated authorId
SIEM Query:
source="wekan" AND (uri_path="/api/boards/*/lists/*/cards/*/comments" AND http_method="POST") AND (authorId != authenticated_user_id)