WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.
PUBLISHED5.2CWE-203
WeKan < 8.19 Attachments Publication Information Disclosure
Problem type
Affected products
WeKan
WeKan
< 8.19 - AFFECTED
References
github.com
https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820
wekan.fi
https://wekan.fi/
vulncheck.com
https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure
GitHub Security Advisories
GHSA-4h56-xmq8-7hc9
WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments...
https://github.com/advisories/GHSA-4h56-xmq8-7hc9WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-25562
github.com
https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820
wekan.fi
https://wekan.fi
vulncheck.com
https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure
github.com
https://github.com/advisories/GHSA-4h56-xmq8-7hc9
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-25562Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-25562",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:57:12.352Z",
"dateReserved": "2026-02-02T20:12:33.396Z",
"datePublished": "2026-02-07T21:57:12.352Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-02-07T21:57:12.352Z"
},
"title": "WeKan < 8.19 Attachments Publication Information Disclosure",
"descriptions": [
{
"lang": "en",
"value": "WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users."
}
]
}
],
"affected": [
{
"vendor": "WeKan",
"product": "WeKan",
"repo": "https://github.com/wekan/wekan",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "8.19"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-203 Observable Discrepancy",
"cweId": "CWE-203",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820",
"tags": [
"patch"
]
},
{
"url": "https://wekan.fi/",
"tags": [
"product"
]
},
{
"url": "https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Joshua Rogers",
"type": "finder"
}
]
}
}
}