CVE-2026-25568
📋 TL;DR
This CVE describes an authorization bypass vulnerability in WeKan where the allowPrivateOnly configuration setting is not properly enforced. When enabled, this setting should restrict users to creating only private boards, but due to incomplete server-side validation, users can still create public boards. This affects all WeKan instances with allowPrivateOnly enabled prior to version 8.19.
💻 Affected Systems
- WeKan
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive information could be exposed through unauthorized public boards, potentially leaking confidential project data, user information, or internal communications to unauthorized parties.
Likely Case
Users inadvertently or intentionally create public boards when they should be restricted to private-only creation, leading to unintended data exposure within the organization.
If Mitigated
With proper monitoring and user awareness, the impact is limited to potential minor data exposure that can be quickly detected and remediated.
🎯 Exploit Status
Exploitation requires authenticated user access. The vulnerability is straightforward to exploit by any authenticated user attempting to create a public board when allowPrivateOnly is enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.19 and later
Vendor Advisory: https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8
Restart Required: Yes
Instructions:
1. Update WeKan to version 8.19 or later. 2. Restart the WeKan service. 3. Verify the allowPrivateOnly setting is properly enforced by testing board creation.
🔧 Temporary Workarounds
Disable allowPrivateOnly setting
allTemporarily disable the allowPrivateOnly configuration setting until patching is possible
Edit WeKan configuration to set allowPrivateOnly: false
🧯 If You Can't Patch
- Implement strict monitoring of board creation events and audit logs for public board creation attempts
- Educate users about the restriction and implement manual review processes for board creation
🔍 How to Verify
Check if Vulnerable:
Check if allowPrivateOnly is enabled in configuration and test creating a public board as an authenticated user. If public board creation succeeds, the system is vulnerable.Check Version:
Check WeKan version in admin panel or via API endpointVerify Fix Applied:
After updating to version 8.19+, enable allowPrivateOnly and attempt to create a public board. Creation should be blocked with appropriate error message.📡 Detection & Monitoring
Log Indicators:
- Log entries showing successful public board creation when allowPrivateOnly is enabled
- Audit logs with board creation events
Network Indicators:
- API calls to create boards with public visibility setting
SIEM Query:
source="wekan" AND (event="board_create" OR event="board_creation") AND visibility="public"